back to article Twitter says a certain someone tried to discover the phone numbers used by potentially millions of twits

Twitter has admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twits en masse, which could lead to their de-anonymization. In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our …

  1. lglethal Silver badge
    Go

    Just curious

    If Twitter have the phone numbers for large numbers of twits, many of which are also trolls, posting threats and the like, why are we not hearing about more trollish twits being cuffed for making death threats and online abuse?

    Yes, if they dont have their phone number linked, then naturally this wouldnt work, but I'd be willing to bet the vast majority of trollish twits are not that clever (otherwise they wouldnt be trolls, would they now?). So how come its always just assumed people are anonymous and you either get off twitter or put up with it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Just curious

      They do. You just don't get many of the stalkers/bullies in the news unless it's a high profile case or a famous person.

      1. The Nazz Silver badge

        Re: Just curious

        Speaking of being in the news, here's one way to deal with trolls and get in the news. : https://www.bbc.co.uk/news/uk-england-leeds-51379041.

        Comedy gold, for those of us lucky (unlucky?) enough to have the wonderful Ms Brabin as our MP.

        Quite a contrast to her prior ten years of association (IDK the details) with the BBC's vile Eastenders.

    2. Khaptain Silver badge

      Re: Just curious

      "why are we not hearing about more trollish twits being cuffed for making death threats and online abuse?"

      I can only presume that it would result in the Plod, TLAs having to admit that they have access to this information which would create a potential media nightmare for them. It's better for them to lurk in the background and wait for bigger fish...

    3. macjules Silver badge

      Re: Just curious

      ..large numbers of twits, many of which are also trolls, posting threats and the like

      That's no way to talk about the President of the USA.

      1. Intractable Potsherd Silver badge

        Re: Just curious

        No, it really is.

    4. Anonymous Coward
      Anonymous Coward

      Re: vast majority of trollish twits are not that clever

      "clever" is a very vague word. I would argue, that some (many?) world-known figure trolls that appear on twitter, are "clever", as otherwise, they wouldn't have become world-known. Even if you define "clever" as "intelligent", the same argument applies. You need some (special traits of) intelligence to have got to reach the very top, in politics or business, say. Even if you were to claim that getting to those tops requires a long and sustained path of backstabbing and bribery (combined with lack of empathy), this still requires certain, above the average, level of cleverness / intelligence to perfect the art of backstabbing and bribery, lack of morals itself is not enough, methinks.

      1. Rich 11 Silver badge

        Re: vast majority of trollish twits are not that clever

        You need some (special traits of) intelligence to have got to reach the very top, in politics or business

        The primary trait being sociopathy, it seems.

        1. Roj Blake Silver badge

          Re: vast majority of trollish twits are not that clever

          Well-connected parents don't hurt either.

      2. Alister Silver badge

        Re: vast majority of trollish twits are not that clever

        Having an excess of cunning does not necessarily equate to "intelligence".

        Indeed the twitterer-in-chief is demonstrably lacking in intelligence, but he makes up for that with cunning, bile and vindictiveness.

    5. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Just curious

      ..."it is possible that some of these IP addresses may have ties to state-sponsored actors.”

      Ya think? It's also conceivable that a little forethought would have led to a design that didn't allow this.

  2. Pascal Monett Silver badge

    2FA was a nice idea

    Unfortunately, it means you place even more personal information into the hands of someone you don't know.

    Twitter failed to do due diligence on security. Of course, security is hard, but that is my entire point. I don't trust any web site with anything more than I have to. I'd rather have my account hacked than have some miscreant get my phone number.

    1. Bronek Kozicki Silver badge

      2FA is a good idea,

      .... as long as the 2nd factor is actually secure. Anything based on phone is not.

      1. Gonzo wizard

        Re: Anything based on phone is not

        To be more precise - anything based on phone number is not. A 2FA app installed on a phone is secure. A SIM hijack won't give the hijacker access to your 2FA codes in the way that 2FA by text message would.

        1. Brewster's Angle Grinder Silver badge

          Re: Anything based on phone is not

          "A 2FA app installed on a phone is secure."

          Possibly. If it's well written. More likely it's just vulnerable to a different set of vectors. It's closed source so we have no clue about the internals or the protocol. Worst case, we could attempt to read the code via spectre, rowhammer or some other side channel.

          I reckon the independent token generators are probably the best. My bank even issued one and I was using it to log in. But they kept nagging me to set up a phone; and doing 2FA authentication via SMS means I can do mobile banking in an emergency - which wouldn't be the case if I was without my card and my token-generating card reader.(And, okay, I admit, some laziness came into play: insert card into reader, enter pin, select function, enter challenge and type response into website. All to protect my negative money.)

          1. chuBb. Bronze badge

            Re: Anything based on phone is not

            Which is why MFA should be the preffered way of reffering additional verifications, 2FA is the bare minimum

            Every protection has a weakness which can be exploited, it just becomes orders of magnitude more complicated to subvert each factor especially if they have short validity periods <= 60 seconds. The trick is for the factors to overlap that way there is no one way in, and the more factors you have the smaller the intersection is on this imaginary venn diagram, so while not impossible to subvert it gets damn expensive in expertise and effort to make it not worth persuing and instead going after a less secure targets.

            On there own each factor is weak

            Username Password,

            SMS,

            Biometrics,

            Auth App,

            Code Generator

            But using 2 or more gives you good to best effort (Infinite Improbability Drive needed for everything to align) level security, just as always its the balance of conveinence vs security.

            Also if your phone is set to lock after a min i would argue that the act of unlocking it grants you an additional factor to use so user creds +auth app is actually a 2(+1)FA

            1. Brewster's Angle Grinder Silver badge

              Re: Anything based on phone is not

              Variety of devices and channels are more important than the brute factor count. Username+Password, SMS, biometrics and auth app can all be run through one device and, if that device is compromised, then it's game over - even if you use every last factor. But if I'm logging in from a laptop or a desktop, and the 2FA comes in via my phone, then you have to compromise my mobile phone as well as my computer. That's squared the difficulty.

              Likewise, it's not enough for a hacker to man-in-the-middles the bank; they've got to intercept the SMS as well.

          2. phuzz Silver badge

            Re: Anything based on phone is not

            "It's closed source so we have no clue about the internals or the protocol."

            Most 2FA uses TOTP (RFC 6238) and/or HOTP (RFC 4226), so we do indeed know the protocol.

            The original versions of the Google Authenticator are open source (later versions are not), but if you prefer, there's many different programs, some of which are open source, that all support the same authentication protocols. Here's a (open source) Python version if you like (as an example).

            If you don't trust anyone else, you could code your own implementation based on the RFCs, which would work with a Google/Microsoft/etc. account.

        2. Claptrap314 Silver badge

          Re: Anything based on phone is not

          Is your phone made by RIM? If not, then not only is it not secure, it cannot be made secure.

          And don't start with the histrionics of the LEAs about this technology or that. They are seeking to penetrate a phone after the fact and when the "owner" is not actively using the device.

  3. redpawn

    The Security

    is for state actors. Wouldn't want to make them unhappy. They might block the service.

  4. anoco

    don’t trust any company with more personal information than they need to have

    Even that is too much!

  5. The Man Who Fell To Earth
    FAIL

    Just reinforces the phrase

    Twitter is for Twits.

    1. BebopWeBop Silver badge

      Re: Just reinforces the phrase

      Twitter is for Twats

      TFTFY

      1. Khaptain Silver badge

        Re: Just reinforces the phrase

        It's not without reason that it is the Orange One's favorite media tool.

        1. Clunking Fist Bronze badge

          Re: Just reinforces the phrase

          "media tool" indeed: it gets his message (good or bad) out to folk directly, rather than having to rely on the, err, media tools...

  6. W.S.Gosset Silver badge

    Government rather than private?

    > Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy

    Given that it's Twitter, an irritant for authoritarian regimes, and looking at 2 of the 3 cited names, I would have thought it far more likely to be governments/regimes seeking to identify who's behind particular criticism and/or activism. So that they can quietly eliminate it.

    1. genghis_uk

      Re: Government rather than private?

      All 3 of the named are likely to suppress dissent quietly and permanently.

      Just suprised UK and USA are not on the list

      1. Anonymous Coward
        Anonymous Coward

        Re: Government rather than private?

        NSL's for the win, dummy

      2. eldakka Silver badge
        Black Helicopters

        Re: Government rather than private?

        They made no mention of the list provided (Israel, Iran, Malaysia) being the complete list of sources found.

  7. TimMaher Bronze badge

    SIMS

    Considering how often 2FA and SIMs are mentioned by commentards; not only in this thread but in many others; perhaps it’s time to look at tying a SIM to a particular device?

    Public/Private key and something like the IMEI?

    Just saying this in a lazy comment as I haven’t actually done any research.

    Wouldn’t help with landlines.

    1. eldakka Silver badge

      Re: SIMS

      perhaps it’s time to look at tying a SIM to a particular device
      That would defeat the whole point of having SIMs.

      A mobile number is temporarily assigned to a SIM, not a physical handset. That way, when I upgrade my handset, I can pop the SIM out of the old phone and into the new phone and the number follows the SIM to the new phone. A SIM is designed for portability between handsets. And if a SIM gets damaged or lost (say I drop your handset over the side of a boat while fishing), the number can be assigned to a new SIM, that can be placed in a new (or old/existing) handset, so I can keep my number

      There is no problem with the SIM paradigm. The problem is with the paradigm of assuming a phone number, an entirely virtual construct, is a valid factor in a MFA system. It is not. It never has been.

      The traditional security factors are:

      1) What you know (e.g. password, PIN)

      2) What you have (something in your physical possession, e.g. keycard, token generator, ID pass, badge)

      3) What you are (biometrics - DNA, fingerprint, iris, face recognition)

      Companies have been using phone numbers as a "What you have" factor. But a phone number is not a physical thing in your possession. A phone number is something that is virtually assigned to a SIM, and can be changed arbitrarily, remotely, without your knowledge or input. It is not an appropriate "What you have" factor. It never has been. It was a half-arsed, public-relations attempt at a 2nd factor. It is the TSA (security theatre, not actual security) of the multi-factor authentication world.

  8. ForthIsNotDead Silver badge
    Go

    Just don't use twitter.

    Simple.

  9. Anonymous Coward
    Anonymous Coward

    Twitter says a certain someone tried

    interesting, how many certain someones tried before, and quietly got what they were after.

  10. SVV Silver badge

    Not a backend system flaw, just an incredibly stupid idea

    This is the problem with the big platforms' insatiable greed for personal information : that it not only destroys privacy, but as a consequence of that destroys security for the users. The companies are hardly unaware that "Easily find a friend" also means easily find anybody. Or everybody. Someone must have raised the possibility of this happening when the APIs were thought up, but I suspect that such concerns are a career killer within these companies who fundamentally rely on as much data and connections between it as possible to keep people coming back as often as possible.

  11. Mike 137 Bronze badge

    "don’t trust any company with more personal information than they need to have"

    Unfortunately, provision of a phone number is an increasingly common mandatory requirement for registration to online services as they send back a token, and using a throw away SIM each time gets expensive.

    1. Jason Bloomberg Silver badge
      Unhappy

      Re: "don’t trust any company with more personal information than they need to have"

      It is getting just as bad in-person. It seems one can't buy anything these days without being asked to supply every last bit of personal information. I despair at seeing people hand it over without even asking why they need it, without even thinking abut it.

      Me; I don't tell them anything despite how much they insist I must. I don't know whether I should laugh or cry when it gets to; do you want to sell me this 25p second-hand DVD or not?

      1. Andrew 99

        Re: "don’t trust any company with more personal information than they need to have"

        that's where random info can be helpful.

  12. TeeCee Gold badge

    Twitter security hole was a giant intelligence gathering opportunity,

    s/intelligence/stupidity/

    Unless this is a different Tw@ter we're talking about.

  13. fidodogbreath Silver badge
    WTF?

    Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.

    Why would they allow an end user to query two billion phone numbers? Rate limits and quotas are API security 101.

    Oh. Security 101. Never mind; answered my own question.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020