In brief: A security researcher has been able to exploit a vulnerability in Twitter's Android app that allowed him to match randomly generated phone numbers with over 17 million Twitter usernames.
Now may be a good time to manually update your Twitter app, if you don't have automatic updates turned on. The company has patched a serious vulnerability that allows hackers to link phone numbers to user accounts in a relatively easy way.
Security researcher Ibrahim Balic told TechCrunch that he was able to match no less than 17 million phone numbers to their respective Twitter user accounts through a bug in the contact upload feature of the Android app.
Normally, the contact upload feature doesn't accept phone numbers in a sequential list. But Balic found that "if you upload your phone number, it fetches user data in return." That means the limitation that is supposed to prevent any matching attempts can be successfully exploited for that very purpose.
Balic says he generated two billion random phone numbers in sequence, and then uploaded them to Twitter using the Android app, as the iOS one doesn't seem to be affected. After doing that for two months, what he ended up with was a long list of matching usernames from Israel, Iran, Turkey, Armenia, France, Germany, and Greece. TechCrunch says it was able to verify the findings using Twitter's password reset feature.
There's no evidence that Balic's discovery is in any way linked to another vulnerability disclosed by Twitter less than a week ago that "could allow a bad actor to see nonpublic account information or to control your account," potentially exposing your Direct Messages, location info, and protected tweets.
Interestingly, Balic didn't inform Twitter about the vulnerability, and decided to use the exposed phone numbers of high-profile Twitter accounts belonging to politicians and celebrities to create a WhatsApp group and warn them directly.
A Twitter spokeswoman said "We take these reports seriously and are actively investigating to ensure this bug can't be exploited again. When we learned about this bug, we suspended the accounts used to inappropriately access people's personal information." The company stopped Balic's effort on December 20, and removed his Twitter account.