Ibrahim Balic has certainly become a name that twitter will remember till the end of times. Before getting blocked by Twitter on December 20th, he discovered a flaw in a Twitter Android app that resulted in the sorry gift of matching 17 million phone numbers, when he uploaded them, with accounts. Apparently, those matches were made in Turkey, Israel, Greece, Armenia, Germany, and Iran.
Zack Whittaker, security editor, at TechCrunch, had the much-quoted story of the researcher’s phone number-account exploit.
Specifically, wrote Whittaker, Balic “generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)”
TechCrunch wanted to see for itself if Balic’s research could pan out for them too. Whittaker reported the in-house results. “Using the site’s password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided. In one case, TechCrunch was able to identify a senior Israeli politician using their matched phone number.”
This isn’t the first time when Balic has been noticed by security watchers of Twitter, he was previously known for identifying a security flaw breach in 2013 that affected Apple’s developer center.
Stacy Liberatore in the Daily Mail stated that “although Balic did not alert Twitter to the bug, he took it upon himself to let high profile users know about it via WhatsApp”
Meanwhile, Jon Fingas in Engadget reported that company’s spokesperson said the company was investigating the bug “It blocked the activity by suspending the accounts used to get people’s information.”
Fingas, later on showed Twitter’s statement in response:
“We take these reports seriously and are actively investigating to ensure this bug can’t be exploited again. When we learned about this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter’s APIs. ”
The news of these match ups drew readers from across the world which are informative as well. They showed us that not everyone react the same to contact reveals and data breaches.
Here is a sample among the disgusted ones: “Ugh, never trust these companies with your number/” and another, “I’m not dumb enough to include my phone number with a social networking website. Any site which requires a phone number for account creation isn’t worth my time.”
And here is one, “no big deal comment”: “ Sounds just awful…oh right remember for decades when we had these crazy things called phone books that had not only your but also home address in them?
Now, we’ve got a horror counter-comment: “It’s not about the information on a per-person basis, but how the information can be abused far and wide across hundreds, thousands and millions of people around the world quickly and cheaply.”