Date:18/12/18
Twitter has fixed a strange vulnerability on a support forum that allowed hackers to obtain the country code of accounts, which had an associated phone number as well as information on whether the account was locked.
The vulnerability was discovered by Twitter on Nov. 15, when the company noticed unusual activity involving the affected customer support form application program interface. The surge in traffic came from individual IP addresses located in China and Saudi Arabia.
“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” Twitter said in a post today. The vulnerability was fixed on Nov. 16.
Twitter did not say how many account holders were affected, only that they’ve been informed.
Why state-sponsored actors would be looking for a country code of a telephone number linked to a Twitter address may seem odd. But according to TechCrunch, the concern is “that malicious actors could have used the security flaw to figure out in which countries accounts were based, which could have ramifications for whistleblowers or political dissidents.”
The vulnerability may not be the only one. Security researcher Terence Eden uncovered an OAuth permissions flaw in Twitter Dec. 14 that allows third-party applications to access a users’ direct messages even when they said they would not permit it.
“For some reason, Twitter’s OAuth screen says that these apps do not have access to direct messages,” Eden explains. “But they do! In short, users could be tricked into allowing access to their DMs.”
Eden claimed Twitter has now fixed that issue.
One vulnerability is careless but two so close together is another matter, especially coming on top of various other vulnerabilities at Twitter throughout the year.
In September it was revealed that Twitter had patched a vulnerability in one of its application programming interfaces that gave third parties access to direct messages and protected tweets. And last month a hacker managed to hijack verified accounts and pretend to be Tesla Inc. Chief Executive Officer Elon Musk.
Twitter fixes vulnerability that exposed country code details of targeted users
Twitter has fixed a strange vulnerability on a support forum that allowed hackers to obtain the country code of accounts, which had an associated phone number as well as information on whether the account was locked.The vulnerability was discovered by Twitter on Nov. 15, when the company noticed unusual activity involving the affected customer support form application program interface. The surge in traffic came from individual IP addresses located in China and Saudi Arabia.
“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” Twitter said in a post today. The vulnerability was fixed on Nov. 16.
Twitter did not say how many account holders were affected, only that they’ve been informed.
Why state-sponsored actors would be looking for a country code of a telephone number linked to a Twitter address may seem odd. But according to TechCrunch, the concern is “that malicious actors could have used the security flaw to figure out in which countries accounts were based, which could have ramifications for whistleblowers or political dissidents.”
The vulnerability may not be the only one. Security researcher Terence Eden uncovered an OAuth permissions flaw in Twitter Dec. 14 that allows third-party applications to access a users’ direct messages even when they said they would not permit it.
“For some reason, Twitter’s OAuth screen says that these apps do not have access to direct messages,” Eden explains. “But they do! In short, users could be tricked into allowing access to their DMs.”
Eden claimed Twitter has now fixed that issue.
One vulnerability is careless but two so close together is another matter, especially coming on top of various other vulnerabilities at Twitter throughout the year.
In September it was revealed that Twitter had patched a vulnerability in one of its application programming interfaces that gave third parties access to direct messages and protected tweets. And last month a hacker managed to hijack verified accounts and pretend to be Tesla Inc. Chief Executive Officer Elon Musk.
Views: 363
©ictnews.az. All rights reserved.
Similar news
- Azerbaijani project to monitor disease via mobile phones
- Innovative educational system to be improved under presidential decree
- NTRC prolongs license of two TV and radio organizations for 6 years
- Azerbaijan establishes e-registry for medicines
- Azerbaijani museum introduces e-guide
- Nar Mobile opens “Nar Dunyasi” sales and service center in Siyazan city
- International conference on custom electronic services held in Baku
- OIC secretary general to attend COMSTECH meeting in Baku
- Azerbaijan develops earthquake warning system
- New law to regulate transition to digital broadcasting in Azerbaijan
- Azerbaijani State Social Protection Fund introduces electronic digital signature
- Intellectual traffic management system in Baku to be commissioned in December
- Tax Ministry of Azerbaijan started receiving video-addresses
- World Bank recommends Azerbaijan to speed up e-service introduction in real estate
- Azerbaijan to shift to electronic registration of real estate
