[HN Gopher] Twitter says an attacker used its API to match usern... ___________________________________________________________________ Twitter says an attacker used its API to match usernames to phone numbers Author : spzx Score : 195 points Date : 2020-02-04 06:51 UTC (1 days ago) (HTM) web link (www.zdnet.com) (TXT) w3m dump (www.zdnet.com) | TylerE wrote: | It's a phone number, not your bank account. | | It's public information. | | Do you want to sue the phone telcos for publishing the phone | book? | XMPPwocky wrote: | What's your phone number? | | I might call you and check- and check for VOIP numbers, too, so | no fakes. | [deleted] | techsupporter wrote: | > check for VOIP numbers, too, so no fakes | | Ah yes, continuing the fiction that anyone who uses a VoIP | service must be a fraudster with a faked phone number. | | Just another in the long list of if you are not using Google | or Microsoft e-mail and AT&T or Verizon or T-Mobile or Sprint | postpaid mobile phone service, you're obviously up to no good | and deserve whatever "anti-fraud" you get. | Jestar342 wrote: | > It's public information. | | No, it isn't. | stuff4ben wrote: | you have one of those private, encrypted phone numbers that | prevents unauthorized usage? Get over yourself, it's public | information. | eternalny1 wrote: | > you have one of those private, encrypted phone numbers | that prevents unauthorized usage? Get over yourself, it's | public information. | | Is it? | | If I find out your phone number, "stuff4ben", then I know | who "stuff4ben" really is. | | People have been missing this for a LONG time now. Phone | numbers are the unique identifier, especially with | portability. | | You can use 50 different usernames across 50 different | sites but with that phone number, I know they are all you. | | Which I can then link up to the 1,000 other sites you use | those 50 usernames on without providing your phone number, | and it's still likely you. | | The NSA's database must be very interesting out at the Utah | Data Center. This is how it all works, because you can mask | your IP address using Tor but you can't mask any of that | unless you've taken very careful steps along the entire | history of your internet usage, from the start. | BoorishBears wrote: | Eh, it pretty much is. At least in the US | | I have a pretty unique name, you can search my first name + | "voter registration" and get my address, phone number, and | birthdate | | Even if my name was common, it'd still be out there | thiagomgd wrote: | But on twitter you don't need to give anyone your real | name. THAT'S the thing. There should be no way to tie your | twitter account to you, unless you specifically allow them | to share your information. | ryanlol wrote: | Isn't that really for twitter to decide? | | Besides, weren't the people who had opted out from the | "Let people who have your phone number find you on | Twitter" unaffected by this? | BoorishBears wrote: | Sure, that's what the other replies above the comment I | replied to are saying, but this is specific to phone | numbers | | A lot of people are not aware of the fact this | information is all public | throwaway55554 wrote: | Just because it's public doesn't mean it should be shared with | everyone. | | You wouldn't type your number into a HN comment, would you? | Probably not because you know exactly what would happen. | AlexandrB wrote: | It may be public, but I don't see you posting your phone number | on HN. Perhaps that's because you don't want everyone in the | world to have it? Doesn't seem like an unreasonable expectation | to me. | mstolpm wrote: | No, its only public if you choose to disclose it. Phone numbers | are PII (personal identifying information) in regards to the | GDPR. | tripa wrote: | Sorry for the slight pedantry, but PII is some American | thing. GDPR deals with "personal data". | | It's playing on words until you find out the PII definition | isn't the one that's used to settle GDPR claims. | inetknght wrote: | You're cutting hairs here. Phone numbers are protected | under both European and US privacy protection laws. | zepolen wrote: | What's your phone number? | RL_Quine wrote: | What's your phone number? If it's public you don't mind sharing | it. My address book is filled with people who would be very sad | if that were made public. | ckastner wrote: | It's not public information, and it's considered identity-tied | enough to be used in many forms of two-factor identification. | ghaff wrote: | Private vs. public isn't a fine-grained enough distinction. | It's not private in the sense that most people give it out to | lots of people so that they can be contacted. (Of course, in | the case of landlines, they're mostly listed in a public | directory somewhere but I assume we're talking mobile here.) | | BTW, you bank account number is the same way if you write | checks. | | So they're not private in the way that some data (like health | information) that you're only going to share very selectively | is private. But it's mostly not public in the sense that | you'll likely put it online unless maybe it's a business | phone. | moron4hire wrote: | It is public information, and that's why it's ludicrous that | it's used for two-factor authentication. | | Two-factor authentication is a dumb solution to a real | problem. The problem should be properly solved, rather than | hacked around with stupid solutions like "sending | notifications to accounts that can easily be spoofed by | willful actors". | SAI_Peregrinus wrote: | > Two-factor authentication is a dumb solution to a real | problem. The problem should be properly solved, rather than | hacked around with stupid solutions like "sending | notifications to accounts that can easily be spoofed by | willful actors". | | SMS Two-factor authentication is a dumb solution. Actual | two-factor authentication like FIDO U2F tokens is a better | solution. Even TOTP is better than SMS auth. | jchw wrote: | Your _identity_ is not public information on Twitter. Posting | someone's phone number and Twitter handle, if they did not | explicitly share it anywhere, would be doxing, against almost | any site ToS, and potentially even illegal. | sdan wrote: | Are there any legal repercussions against doxxing | jchw wrote: | It depends on the jurisdiction but definitely. I am not a | lawyer, though; I'll just defer to your favorite search | engine on this one. | glofish wrote: | pff, considering that a large number of two factor | authentication protocols send you SMS your phone number might | just as well be your bank account | moron4hire wrote: | I'm sorry you're getting downvoted to oblivion on this. There | are two cohorts on HN: those who think you can do whatever the | hell you want as long as you put "startup" in front of it, and | those who think anything a company does is the end of the | world. And while I suspect these two cohorts overlap a lot, | today you've definitely gotten hit by the latter. | rezeroed wrote: | Why on earth would you give twitter your phone number!? It's an | ad company. Why on earth would you give an ad company your phone | number?! | [deleted] | arminiusreturns wrote: | Went on a tweet storm a few months ago. Twitter locked my account | and forced me to give my phone number. I started getting spam | calls at a level I didn't before (may be coincidence but am very | tight about that sort of thing, I don't even give my grocery | store my #) and I knew, just knew that at some point, this very | thing would happen. | | Combine that with the story that the Saudi's had infiltrated | twitter and were spying on users, especially in light of how they | treat their opponents (Kashoggi), when do we stop supporting | companies that do these obviously poor practices? | vorpalhex wrote: | > when do we stop supporting companies that do these obviously | poor practices? | | Well, you just indicated you chose to continue supporting this | company with the poor practice above. What would make you | switch away from them? Clearly the spam calls weren't enough. | Jamwinner wrote: | Exactly. These people are petting the dog after it attacks | their kid, oblivious to the training they are offering and | reinforcing. We as a collective are just teaching big tech | how to more effectively enslave us for profit. | scottlocklin wrote: | Saudi problem seems more severe! Call me crazy! | | Not that I use twitter; people who get on the thing seem to | have some bizarro Stockholm syndrome. | arminiusreturns wrote: | It's a complicated issue. I am very privacy focused, the kind | of person that doesn't do facebook, burns accounts on | different forums regularly, etc, but I have to admit I | enjoyed the information I got out of twitter while not | enjoying some of their recent changes. | | Since the spam calls and the phone link in though, I have | already changed my twitter-name and lost all followers, and | since then I pretty much stopped tweeting. Haven't logged in | in at least a month now. | | The main problem with adoption of an alternative is that I | was using it to keep up with the kinds of people that aren't | necessarily going to move to an alternative until it reaches | some sort of critical mass. My RSS feeds are already full | enough without having to add a bunch of random single person | blogs to keep up with, so I'm not sure to be honest. Twitter | was my main compromise to stay more socially connected with a | wider array of people and it's hard to let go of that. | | Despite my desire for good federated and open source social | networking, it isn't quite there yet, and so for the time | being the one social outlet alternative I see glimmers of | hope in is WT.Social. | em-bee wrote: | you can still follow people without logging into twitter. | their posts are public. you can't DM with them though, and | they also can't follow you. they also can't block you. but | as far as "getting information out of twitter" is | concerned, no account is needed | _Understated_ wrote: | > Twitter did not clarify who these third-parties were, but it | did say that some of the IP addresses used in these API | exploitation attempts had ties to state-sponsored actors, a term | used to described either government intelligence agencies, or | third-party hacking groups that benefit from a government's | backing. | | Can someone explain this to me please? Are "state-sponsored | hackers" this foolish to use the same IP addresses as previous, | known IP's used in hacks? | | Or is this just the current "because terrorism / because | pedophiles" used to cover incompetence? | | I don't get it... | BurnGpuBurn wrote: | Yeah I never believe the "state-sponsored" hackers claim, or | any claim to the location of them, until those hackers get | caught and convicted based on real evidence. It's basically | guesswork anyway. And certainly to a company like Twitter who | doesn't even have the capabilities to really investigate a | hack, compared to say the NSA, CIA or similar spooks. | meowface wrote: | I've been involved in research of this nature, though not | specifically attributing APTs. Think of it like old school | detective work: every crime and every criminal leaves traces, | including the traces of the ways they attempt to prevent being | traced. This sometimes also includes attempts to impersonate | other entities ("false flags"). No matter how many layers of | indirection an attacker uses, there's going to be at least one | thread to pull on. | | There's no equivalent to DNA testing, but sometimes you can | have pretty high confidence in an attribution. To be clear, | this goes incredibly far beyond looking at IP address | geolocation or whatever. That's less than 1% of what you're | looking at. That'd be like police assuming a death threat was | signed with someone's real name. | | There's no way of knowing exactly what they identified or how | they did it or if they got it right. I wish more companies | would release such information and how they conducted the | entire analysis (some do), though I understand that may not be | possible due to legal and counter-intelligence reasons. | mikey_p wrote: | The deepest irony of all this is that they require phone numbers | to verify accounts, which should cut down on fake accounts, yet | they had a large amount of fake accounts using this very feature, | which means verifying with a phone number may not be super | effective anyway... | kwijibob wrote: | I factory reset my phone so my lost my gauth 2fa for Twitter. | I'm locked out now. | | I cannot get Twitter to let me back in even though I can verify | my email and phone SMS. | | I didn't make a backup code because I assumed I could use | email/SMS in this situation. It seems not. | | So another smaller irony is that you cannot make valid use of | your linked phone number that they nag you for. | kingosticks wrote: | Any chance this means they'll get rid of their popup that asks | for my phone number everytime I visit. You only have to refresh | the page to get rid of it but it is annoying. This incident shows | they don't know what they are doing and don't respect their | user's data. | mLuby wrote: | Why is "impacting" better than "affecting?" | dghughes wrote: | For starters impact is a noun and affect is a verb. | | It's probably textbook risk analysis lingo, an impact is | measurable but an affect is not. | | Usually an impact scale is created to define what impact level | 5 would involve versus impact 1. It's still arbitrary but more | configurable than affect. | | Just my two cents, no guarantee. | [deleted] | lowdose wrote: | Kind of ironic Twitter can't protect data theft but spends | considerable amount of resources to detect Deep Fakes. | krapp wrote: | How is that ironic, those are two entirely different issues. | daenz wrote: | At some point we'll realize that privacy invasive policies are a | huge security liability, right? | thiagomgd wrote: | I was already thinking of deleting my twitter account. This is | just an extra incentive | buboard wrote: | phone numbers are better than ips for surveillance. they follow | you everywhere. | Scoundreller wrote: | I eagerly look forward to a phone-number free world. | | Would help a lot with global mobility. | simonebrunozzi wrote: | Class action? | markovbot wrote: | Unlikely to succeed. This sort of invasive, drag-net data | collection without user knowledge or consent is considered | standard practice. | | All twitter users "agreed" to it when they created their | account (via the legal fiction that humans read and agree to | terms of service) | cmcd wrote: | I didn't create a twitter account but my information could | have been leaked via this process. | markovbot wrote: | Is there some law against them collecting your information | from your friends without your consent? I'm not a lawyer, | just an observer of how these sort of things regularly go, | and I'm going to guess that what they did here was 100% | legal. | | Obviously this is morally abhorrent, but in the US the laws | are written to protect large corporations like Twitter, not | their victims. | paulddraper wrote: | That's not damages though. | jdc wrote: | I'm not convinced that "standard practice" is a sufficient | legal defense. | 3fe9a03ccd14ca5 wrote: | Twitter could go a long way in solving this issue by _not | requiring a phone number_ for an account. While you don't need | one to sign up, after some short period of time you'll be locked | out if you don't provide one. | jrochkind1 wrote: | > The endpoint matches phone numbers to Twitter accounts for | those people who have enabled the "Let people who have your phone | number find you on Twitter" option and who have a phone number | associated with their Twitter account. | | I don't recall hearing about this option. I followed the link | they helpfully included[1] to see if I had it set. | | I found that I DID have "Let people who have your phone number | find you on Twitter" checked. But did NOT have "Let people who | have your email address find you on Twitter" checked. | | It's possible I actually chose that at some point, for some | reason decided I was okay with "by phone number", but not "by | email". But that doesn't sound like me, I'm wondering if I | unchecked the "email address" one at some point when the "phone | number" one didn't exist; then they later added the "phone | number" one defaulted to on? | | I am guessing they intend to default all of these to on (opt-out | rather than opt-in), cause few people would take the trouble to | go and opt-in even if they didn't mind or would like it. | | But... you know. Anyway, I've unchecked both of them now. | | I don't entirely understand the vulnerability, it sounds like it | was "letting people who have your phone number find you on | Twitter" just as advertised. "we immediately made a number of | changes to this endpoint so that it could no longer return | specific account names in response to queries." OK, so... you | can't use the API to do that anymore, but can still use the | twitter web app directly? I mean, it says right there you are | letting people who know your phone number find you on twitter, | which I would assume means find your account name. | | It kind of sounds like they realized this whole feature was | privacy-violating, or would be perceived as such, but they | haven't gotten rid of the feature... I'm confused what they | considered the vulnerability and what they changed or didn't, and | to what extent usernames and phone numbers can still be matched | by a third party on twitter. | | [1]: https://twitter.com/settings/contacts | segmondy wrote: | I have the inverse, I never did check it myself. That I can | assure you of. I don't care for anyone finding me on social | media. | EGreg wrote: | Honestly, there is a world of difference between having an API | to do things in bulk and only allowing rate-limited clients to | do something. | | Both require authentication (although new court rulings may | technically be outlawing all charging and quotas for APIs!) | | But the API has far more permissive bulk actions. Of course, | with a botnet and enough time and effort one could execute a | sybil attack to circumvent any per-account quotas, and use per- | resource quotas to launch a DDOS attack on some resource to any | non-authenticated parties. | | I wish there was - service to prevent sybil attacks somehow. | Just make it exponentially more expensive to create multiple | identities / accounts on networks. Has anyone got _links_ to | papers or projects or _anything_ in that direction? It would be | hugely valuable. | | PS: Twitter and other startups don't particularly care about | sybil attacks and fake users when they are growing, it helps | them "innocently" report great user numbers to VCs. So they | don't spend much effort preventing sleeper bots from joining in | the network's growth phase. | jsnell wrote: | > (although new court rulings may technically be outlawing | all charging and quotas for APIs!) | | That seems quite hard to believe. Do you have a link? | EGreg wrote: | https://news.ycombinator.com/item?id=22180559 | jsnell wrote: | Thanks. | | That link isn't about APIs, isn't about outlawing | charging or quotas, and appears to just be about a | preliminary injuction rather than a generally applicable | ruling. So I'd argue that it doesn't in any way support | your initial claim. | jrochkind1 wrote: | > a world of difference between having an API to do things in | bulk and only allowing rate-limited clients to do something. | | Sure, the difference you speak of is only and exactly if the | rate-limiting on your API is different than on the other | rate-limited (web?) clients, right? | | It doesn't have to be, but it often is, for various reasons | intentional or accidental. Making the rate limiting the same | might be another way to fix the "vulnerability" then? It | depends on what they consider the vulnerability exactly; if | you don't know what it is you consider the problem, it's hard | to fix it, or for you or anyone else to judge if you've fixed | it! I find their statement to be vague on what the problem | was exactly, as above. | rcthompson wrote: | Based on the "large network of fake accounts", I'm guessing the | attackers were doing something to effectively query every | possible phone number and associate an account to each one. | ramses0 wrote: | @fake_twitter_account_212_111_xxxx w/ a phonebook contact | list of "212-111-0000" => "212-111-9999". Lather, rinse, | repeat. You'd need ~10M accounts w/ ~1000 phone numbers in | each, and that can be reduced by some percentage if you know | how U.S. phone numbers are assigned (ie: don't check for | xxx_555_xxxx numbers, prefer highly populated prefixes, etc.) | | Good thing they SUSPENDED those accounts! /s | rcthompson wrote: | You can probably narrow down the list to just existing | mobile numbers by sending a text message to each one, and | then just do this for ones where the text message actually | goes through. | tzs wrote: | > It's possible I actually chose that at some point, for some | reason decided I was okay with "by phone number", but not "by | email". But that doesn't sound like me, I'm wondering if I | unchecked the "email address" one at some point when the "phone | number" one didn't exist; then they later added the "phone | number" one defaulted to on? | | I looked at mine, which I'm sure I've never touched before | because I never cared about Twitter settings. As with my | Facebook account, my Twitter account was mostly just created to | get an acceptable name in case someday I actually wanted a | serious social media presence. | | Both are unchecked. The account was created in early 2008. | fernandotakai wrote: | yeah, same. account created in oct 2007, never checked and i | have everything turned off. | disiplus wrote: | also unchecked,and i have my phone number there. | nyuszika7h wrote: | If you're in the EU they were likely disabled in 2018 as part | of the GDPR prompt. | arkadiyt wrote: | You can also delete your phone number completely - there's no | real reason for Twitter to have it, especially now that it's | not required for 2fa. | dylz wrote: | You will receive account suspensions shortly after / days | after removing it, at least in my experience. | dandellion wrote: | That happened to me, although I contacted support and they | restored it the following day, no questions asked. | larrik wrote: | Didn't you use to tweet via SMS? I assume that's still an | option? Seems like a valid reason for them to have it. | tedunangst wrote: | They turned it off after somebody simjacked jack. | [deleted] | GrumpyNl wrote: | One of the reasons i never installed the twitter app. Will keep | using the web page. | deft wrote: | What happened: Twitter asks users on sign up to scan their | contacts (read: steal and upload them). If you say no, twitter | asks again and again every day / every login until you finally | allow it to. Twitter builds a huge and unnecessary db of users | and phone numbers, as well as non-users IDs tied to phone | numbers. Someone uses an API to steal this info that in most | cases twitter only collected by tricking their users / forcing | it. | | Anyone affected by this should be suing twitter for even | collecting this information! My friend can give away my phone | number because of this data collection. | amluto wrote: | Apple could nip this in the bud: don't allow apps to read a | full contact list _at all_. Use a contact picker when needed. | twodave wrote: | This certainly would break plenty of valid use cases for a | feature like this. More likely they ought to have policy in | their developer docs to scope reasonable uses of the full | contact list and start rejecting updates for applications | that violate the new rule. | Zenst wrote: | >Anyone affected by this should be suing twitter for even | collecting this information! My friend can give away my phone | number because of this data collection. | | Given the ramifications on leaking Name with phone number of | people who didn't agree directly anything with Twitter and just | had there contact details trawled by any of their friends | signing up. Not good as with that, hijacking phone numbers has | been done many ways and times, even the CEO of Twitter had that | stunt pulled upon him. What with 2FA for many being a text | message sent to your phone number. The ramifications of this | could be bigger than they first appear and remember. They only | found this, how long has this been open to such abuse. So | anybody who had their phone number hijacked in X period of | time, this `might` be a possible explanation in some of those | instances. | | Legally - no idea how this will pan out, but certainly not be | the last we read about this. | xorfish wrote: | You can also match phone numbers and Instagram accounts | RKearney wrote: | A trick I found to stop this nonsense is, at least on iOS, | answer yes to the Application's custom dialog to ask | permission. This will then invoke the iOS security dialog where | you can click "No" and never be asked again. | | Generally what I see happening is apps will ask the user if | it's okay, and only when the user says yes will they execute | the necessary system call to request access. In iOS at least, | if a user clicks No the app can never prompt for that | permission ever again. Until the app makes this formal request | to the operating system, it does not show up under privacy (as | the app had never asked for it in the first place). | vincentmarle wrote: | Your friends/family probably won't do this, so your phone | number is going to be shared with Twitter anyways. | ngvrnd wrote: | this worked for me also. | lonelappde wrote: | What does Apple allow that for App Store apls? That's obvious | circumvention of iOS's privacy control regime. | toast0 wrote: | My post below is wrong, please move along. Keeping as-is, | so the replies make sense. Thanks repliers! | | The native prompts don't allow for app specific explanatory | text to be presented. I haven't reviewed iOS guidelines, | but Google provides guidance to inform users of why you're | asking for permissions before you do it, and I would guess | Apple would suggest the same as well. Pestering people for | access once a day is probably not within the scope of the | guidelines though. | cactus2093 wrote: | Incorrect, iOS does allow explanatory text on the system | prompt, in fact it's required. | | There is no good reason for Apple to allow apps to mask | permission requests with their own dialogs, it's just a | case of not bothering to fix this loophole. | diebeforei485 wrote: | > The native prompts don't allow for app specific | explanatory text to be presented | | Not true. iOS apps can specify explanatory text to be | included in the native prompt. In fact they are required | to do this, since at least two years ago. | | The NSContactsUsageDescription string (in the Info.plist | file) is the place to specify this. | | https://developer.apple.com/library/archive/documentation | /Ge... | diebeforei485 wrote: | Ideally, iOS would have an option to say "always deny | Contacts access and never bring up a dialog again". | | I don't share my contacts with any app, and I hate being | asked again and again for every single new app. No means no. | twodave wrote: | Actually for most things in iOS, once the system dialog has | been brought up, the operating system won't allow it to be | brought up again. It won't stop the application in question | from nagging you, but at least then even if you click | "allow" on the application pop-up the system will still | require you to go into the app permissions and explicitly | allow it. | [deleted] | rchaud wrote: | It's for this reason that I use PWAs wherever possible. Right | now I'm using it for Twitter and Uber. Tired of turning off | permissions and then having to do it again when apps auto- | update and restore the original permissions. | drewmol wrote: | >Anyone affected by this should be suing twitter for even | collecting this information! My friend can give away my phone | number because of this data collection. | | If you made some agreement as to how your friend could use your | phone number and 'sharing with Twitter' is a violation then you | could sue them I suppose. Annoying as this data collection is, | labeling information about you as only yours is incorrect, it's | your friends and Twitters's (and Google/FB/AMZ/etc.) | information too. | fireattack wrote: | > If you say no, twitter asks again and again every day / every | login until you finally allow it to. | | Any proof about this claim? I use Twitter on Android and web | frequently and I only refuse such request once or twice. | | Bottom line, it doesn't "ask again and again every day". | zippergz wrote: | I've been using Twitter daily pretty much continuously since | 2008 and I don't remember ever being prompted to upload | contacts. I can believe it has happened at some point, but it | certainly doesn't repeatedly ask me. I use the web interface | and the first-party iOS app (though over the years I have | also used various third-party apps on both iOS and macOS). | throwiay987 wrote: | Consider yourself lucky, any account i create without a phone | is immediately flagged\blocked and if i do use | mine(personal), i get asked to add permissions like the | parent said every single time. | fireattack wrote: | Account associated with a phone number is totally different | from "scan your contacts". | nacs wrote: | If you use the web client, they have a header that asks for | your phone number repeatedly until you give it. | fireattack wrote: | OP was talking about "Twitter asks to scan your contacts", | not to add a phone number. | diebeforei485 wrote: | They should not allow phone number -> handle lookups. That is | quite creepy. | | A much more privacy-respecting method would be to only allow | lookups if _both_ parties have each other added. | busterarm wrote: | So I guess Twitter applied for a technology embargo exemption to | Iran? | | I mean, I guess that's been public knowledge already that they | serve there, but the overwhelming majority of public companies | block the IP space of every country on the embargo list. | | I'd think that serving Iran right now would be fairly politically | untenable | xxpor wrote: | Most of Iran's leadership have active twitter accounts, so I'd | have to guess so. | spoondan wrote: | It's interesting to me that these kinds of things are not | catalogued and advertised like other vulnerabilities. This is an | exploitable information leak using an endpoint that many other | services likely have. | dickjocke wrote: | I was rejected with no explanation from a Twitter API key, | despite it being for a real account that must appear very normal | in every respect. | | I think it's kind of funny that they are so draconian with | hobbyists and people making toys, but that any motivated bad | actor can probably access most of the same endpoints and services | by virtue of the fact that they have to be accessible for people | to use Twitter. | exabrial wrote: | I don't even feel sorry for them. Many many times over, industry | experts told people: SMS is NOT 2FA and should not be used as | such. Great to see karma served, and I look forward to U2F or | Webautn on my twitter account soon. | rchaud wrote: | What's there to feel sorry about? Twitter isn't facing any | regulatory scrutiny over this, let alone possible fines. | rewq4321 wrote: | I was amazed when I found out about this "trick" a year or two | ago. It basically means that if you've used your personal email | or phone number to create an "anonymous" twitter handle (e.g. a | whistleblower, leaker, etc.), then it's not anonymous at all. | | Someone can just put batches of emails into their gmail account | (e.g. journalists' public emails, their employees' emails, other | suspects), then use the Twitter contacts-import functionality to | import those emails and match them up with Twitter account | handles. It's insane. | | I first saw people explaining how to do this on Quora a year or | two ago, but here's another explanation that was posted just a | few days before this announcement: | https://www.quora.com/How-228/answer/William-Boyd-181 | | Twitter MUST have known about this loophole for many years. It's | nigh on impossible that they are that incompetent, so, as far as | I can see, they were just ignoring the loophole because they | didn't want to slow down their growth by removing the feature. As | with all social networks, the most important factor in keeping | users is to quickly get them a network of followers and | followees. | | EDIT: | | > "People who did not have this setting enabled or do not have a | phone number associated with their account were not exposed by | this vulnerability," Twitter said. | | This spokesperson is extremely sneaky. They completely neglect to | mention that the "let others find me by _email_ " is checked by | default, and so we can only assume that anyone who has a publicly | scrape-able email _somewhere_ (basically everyone, because you | 've got to count all the leaked databases too - see: | haveibeenpwned.com) has had their Twitter handle linked to that | email. Atheist bloggers in Saudi Arabia, whistleblowers in the | US, opposition activists in Russia, and so on - all potentially | fucked over (past tense) by this. | | And while I'm ranting: What's worse is that they apparently | _haven 't disabled that API_. They've just removed a few big | crawler swarms. But the thing is, Russia / Saudi Arabia / etc. | probably have narrowed their suspects down to 500 (or so) emails | anyway, so they can discover the heretic/activist in a SINGLE API | REQUEST! So Twitter has done _nothing_ to fix this loophole. | yomly wrote: | Yes this is the thing everyone should be talking about. Think | of any of the bigger Twitter posters on Hong Kong. If anyone of | the ring leaders didn't decouple their twitter handle from | everything else they will have a giant bullseye painted on them | by CCP | sakisv wrote: | From Twitter's statement: | | > People who did not have this setting enabled or do not have a | phone number associated with their account were not exposed by | this vulnerability. | | This is a bit disingenuous, given that you can't really open an | account unless you provide a phone number to "verify" it. | | Edit for clarification: | | As gojomo said below | (https://news.ycombinator.com/item?id=22233612) you may not need | to provide it during sign-up, but your new account is almost | immediately locked for "suspicious activity" and you need to | provide a phone to unlock. | jchw wrote: | Indeed: using email based sign up usually immediately triggers | a suspension. It can take as little as a few minutes. | dicytea wrote: | Does this vulnerability affect people who added a phone number | but then removed them? Last time I tried, this method was | effective for getting around the "suspicious activity" lock. | caseysoftware wrote: | Even if you disconnect the number, they still keep it on | file. | | I have a small network of legitimate accounts that they've | suspended a few times. In this last round of suspensions, I | can't reset any of them with my phone numbers any more. | raxxorrax wrote: | The whole phone number thingy for added security 2 factor auth | has been quite the scam. | pingyong wrote: | Why wouldn't you though, that's gotta be pretty juicy data. | You can compare phone numbers across so many different | databases now, makes profile creation 10x more efficient. Not | really surprising that _everyone_ wants your phone number | badly these days. | | Microsoft does the same thing btw. Was really fun for a | friend of mine who registered a Microsoft account for mixer, | forgot about, bought Halo, needed an MS account to log in, | thought hey I already have one, and instantly got locked out | because it didn't have a phone number. | bathtub365 wrote: | Having something as personal as a phone number should be | seen as a liability, not an asset. | captn3m0 wrote: | I bought a dress, a cookie, and a book yesterday from a | mall in India. | | All 3 asked me for my phone number. It's getting ridiculous | nso wrote: | I went to the apple store to buy a router. It took me | involving the manager before the guy let me pay without | leaving my name and address. | denzil_correa wrote: | India is just ridiculous in this regard. Recently, | there's some app at security gates at the entrance of | apartments that asks for phone numbers. It's strange that | one needs a phone number to visit my friend. | andrewzah wrote: | Do you put your real number in for those kinds of | purchase? I generally just put in a random 800- number. | lonelappde wrote: | Doesn't India link phone numbers to bank accounts? | switch007 wrote: | It's batshit crazy. But the PR campaigns/marketing by the | companies that want your phone number for other reasons seems | to have worked. | kjaftaedi wrote: | That might be the case now, but twitter didn't always require | them. | | I wouldn't be surprised if there are 10s of millions of | accounts without phone numbers associated with them. | [deleted] | atomi wrote: | They "requested" my phone number after the fact. And by | "requested" I mean I wasn't exactly given a choice. I wasn't | able to access my account until I provided a number. Of | course all this was for "security" reasons. Personally I'd | prefer to use Google authenticator anyway. | SkyBelow wrote: | I feel as if one of the many elephants being overlooked | here is how 'security' is being abused to further data | collection. When an account gets locked now, I don't think | it is for actual security, but to increase data collection. | Tragedy of the commons being exploited by major websites. | The same ones which also want to hold themselves as the | arbiter of truth (or at least as one of the Arbiter's | official spokesmen). | cmroanirgo wrote: | I just checked the twitter signup form, which does have a phone | input. But there's a toggle saying "use email instead". | | So, no phone number is required. | gojomo wrote: | New accounts without an associated phone number tend to face | a lock & challenge, for "suspicious activity" (even if | they've never posted), which can only be reversed by adding a | phone number. | | So, Twitter is _de facto_ requiring phone numbers on many | more accounts than the initial sign-up flow might indicate - | to the detriment of user privacy, & increasing the damage of | compromises like this one. | tialaramex wrote: | Note that activities which are potentially suspicious | aren't just about posting, it includes following people, | because that makes their follower count go up, and the | whole point of displaying that count is most people want to | appear popular - and so of course people create bogus | followers. | | I agree that Twitter using this to get people to give them | PII those don't want Twitter to have, especially when | Twitter aren't a good custodian of that PII is terrible, | but it's not as though Twitter's other option (anybody can | mint a thousand bogus Twitter followers with no pushback | from Twitter) looks great either. | jammygit wrote: | I never used twitter until last year when I made an | account. They flagged me for following 5 people and | liking some posts, locked me out, and notified me that | any attempts to send support a request would be ignored. | I can't even log in or contact anyone to delete the | account. | | I guess the future is to be given the middle finger so | eagerly by bad ai all the time | itronitron wrote: | If using the application for its intended purpose makes | your account seem not-human, just who or what did they | design the application for? | retox wrote: | My account (created without entering a phone number) was | locked immediately after logging in the first time, from | the same IP I signed up with, without performing any | actions. This was over 12 months ago. | gojomo wrote: | Yes, Twitter now considers everything "suspicious", | including the minimal steps required to use Twitter as a | logged-in account at all, like "following people" (even | just a few). | | And thus, Twitter more-or-less requires phone numbers | from everyone. This increases the risk that Twitter's | users will be "doxxed" - and even, when those users anger | certain large violent organizations, the risk they'll be | assassinated. | 80386 wrote: | > I agree that Twitter using this to get people to give | them PII those don't want Twitter to have, especially | when Twitter aren't a good custodian of that PII is | terrible, but it's not as though Twitter's other option | (anybody can mint a thousand bogus Twitter followers with | no pushback from Twitter) looks great either. | | Third option: don't display follower counts. | newnewpdro wrote: | They let you create an account without a phone number, and | immediately afterwards lock the account until you provide | one, for alleged "suspicious activity". | | Try it. | teh_klev wrote: | Can confirm this. Tried to set up a new Twitter account for | business use, got the phone number challenge but wasn't | able to go any further because the number I wanted to use | was "already in use" i.e. my own number I already stupidly | associated with my personal twitter account. | | To add insult to injury I've been suspended permanently | because Twitter's "offence" AI can't distinguish between | black humour and a direct physical threat. But that's | another story. | slig wrote: | They insta-banned two new accounts from me (for side- | projects) after I entered my phone-number which was | associated with my personal account. They went from a no- | law-free-spam zone to shoot-first-and-don't-ask-later. | 80386 wrote: | The same thing happened to me. But I was somehow able to | create a new account on Microsoft Edge. It hasn't been | disabled, but I don't plan to use it. If they want to | kill their own business, I say let them. | LegitShady wrote: | Disagree. If you make a Twitter account and then use it | without a phone number it will quickly be locked to force you | to prove you're human. It took less than 3 hours for mine. | They want my phone number to unlock it enough to delete the | account. No way. | [deleted] | the8472 wrote: | Instead of providing a phone number you can also email support | and complain about the account lock. But yeah, it's a pretty | scummy bait and switch behavior. | rahuldottech wrote: | I had to send at least six emails to get this to work. _Six._ | notrandom wrote: | I personally tried this. Pregnant silence. | drewmol wrote: | TL;DR | | Twitter's data collection/friend matching feature used an API | endpoint that returned usernames given phone numbers. A security | researcher exposed it publicly, Twitter patched it (to just | return a token or something). Twitter investigated and just | released their findings "out of an abundance of caution and as a | matter of principle." that it's clearly been "exploited" many | times in the past. Twitter probably charges for the data returned | by this "exploit". It doesn't look like the settings offered stop | Twitter from selling this "exploit" as a service for | "promotional" content. | | It's seems strange not care that Twitter sells your username but | care they also accidently gave it out for free in the past. | jraph wrote: | I read the article and thought, "well, yes, the option that | needed to be enabled on the account for the attack to work | describes what the API did, what is the bug?" | | I found the original notice from twitter [1] easier to understand | (maybe change the URL of this post?) and it does not speak about | a bug. Twitter did implement a change so that the attack cannot | be done anymore though. | | I did not understand the fix itself, it seems the API cannot be | used for its intended use anymore? | | [1] https://privacy.twitter.com/en/blog/2020/an-incident- | impacti... | drewmol wrote: | The intended use was for a user to submit their contact data | (phone book). Twitter's API would return a list of usernames | matching those numbers for the purpose of | requesting/notifying/suggesting potential friends (in exchange | for their* data used to build a social graph/sell). Twitter | patched/updated the API which means (the API probably returns a | token or key or something that doesn't reveal the username now) | if someone wants to submit a list of phone numbers to get their | Twitter usernames they'll have to pay Twitter[0] or use a | different "exploit". | | * if someone has _my_ phone number in _their_ phonebook and | gives it to Twitter - it becomes our data. | | [0] https://business.twitter.com/en/help/overview/what-are- | promo... | sdan wrote: | Isn't this old news? Thought this came out a few months ago. | boudin wrote: | According to the article, Twitter discovered the problem on the | 24th of December 2019. | milofeynman wrote: | I swear I saw someone mention this a month or two ago in HN | comments. They said that they believed Twitter's API was being | used to unmask accounts by state actors. I can't find the | original article now. | jsnell wrote: | You're thinking of | https://news.ycombinator.com/item?id=21873229 | | That was slightly different, since at that time the only | information we had that this unethical "security researcher" | had exploited the bug for months on billions of phone numbers | and only disclosed it once Twitter blocked them. | | This announcement is different in that Twitter appear to be | saying that this was being abused by other actors as well. | milofeynman wrote: | That was exactly the comment. Thank you! It sounds like | everyone and their mother was exploiting the API based on | today's post. Thanks again. ___________________________________________________________________ (page generated 2020-02-05 23:00 UTC)