Can this be an API leak which Chinese MSS used to track Chinese users?
It may well as be if we believe that API wasn't implementing discoverability restrictions from privacy settings, and only hid users on the UI level.
> Basically Twitter got pwned big time, and now denies it because GDPR will ruin them if breach is proven.
Here is what Doubi's online followers figured:
> State security got all phone numbers used for Twitter phone verification up to May 2019 and possibly till July.
> Twitter haphazardly closed the breach in complete secrecy.
> API hole explanation is excluded as people with 100% private accs got police visits.
> People with foreign SIM cards also got into trouble. So the explanation that China compromised Twitter's SMS providers is also excluded, as its improbable that they did it in 4+ countries.
> 2016 breach is also out of question.
> The only explanation is that they got hold on a big piece of their user DB, or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily cooperated.
The story has some problem, Doubi is not an SSR developer, SSR was a high school girl's popular personal fork who mysteriously stopped.
Doubi is a blogger sharing GFW circumvention tips, like easy-to-use installing scripts for VPS, tutorials, reviews and a list of donated free acounts. Before his arrest, his blog had been under attack, domain names blocked.
The phone number thing is very dangerous, twitter bascially won't allow you to use it after a while if you don't provide a valid phone number.
If I was China, I'd go for this. Twitter has thousands of employees, many of which can surely be turned with some pressure. Also many who has family in China that can be used for leverage.
I’d have to imagine this is very common, and they’ve probably got one at all the big tech companies. It’s an underreported threat IMO. Who would say no to doubling their salary in exchange for running the occasional DB query for their home country?
And if a little persuasion was needed, the folder with evidence of assets secrets that would turn their life upside down if revealed. Ideally real secrets, but these days made up ones are probably as effective.
Oh boy, I’d encourage you to work in government for a year or two. I did IT for a government department that eventually wound up being investigated for letting the Taliban use their equipment (all I did was help them troubleshoot run of the mill PC issues FWIW). I personally know someone who had root access to a government land auction DB. Someone asked them to run “off the book” queries in exchange for looking the other way if said DBA wanted to run their own unaudited queries.
At competent companies -- I make no claim about Twitter here, but certainly at Google or at my employer -- it is extremely uncommon to have access to that database. All requests to access are logged and individually permissioned. Asking to access without a good reason, such as attachment to an active customer ticket, etc -- will get a hard no.
But at the same time, there's usually a way round it. For example, break the account in some way so the user opens a ticket, then grab the ticket and dump the whole contents of the account to 'debug'.
At a public company like Twitter, for SOX compliance reasons, it will be very difficult to find someone that has such permissions, and running anything unusual can be easily found by auditing. I'd stop with the conspiracy theories.
In general, most companies want to scope SOX as narrowly as possible. So if you can, only things that your auditors think will affect revenue reporting.
Querying ads performance data? Sure, we'll SOXify it.
Querying user accounts writ large? "Meh, our engineers need to be productive."
There are always weaknesses and internal vulnerabilities in every system.
If it was from the inside more likely a privileged user was compromised. It could also explain why Twitter is being quiet, especially if the investigation is ongoing.
Anyone who isn't stupid. Considering how may big corporations have ties with government agencies, if you try to pull something like that and you get caught you could easily be charged with espionage.
Even people with large IQs can be 'temporarily' stupid. Hence the term "lapse in judgement." Somebody who's intelligent but lets their ego run wild might believe they're too smart to get caught.
It doesn't scale -- the more you do it, the more likely one of them is to squeal or be caught, then MSS would be leaking their priority target list straight to the the FBI. Instead they would carefully target people with access, but not necessarily force them to divulge information / tamper with systems except when they really need it.
Occam's razor supports this one. Which would also bring liability to Twitter for not taking adequate steps to secure their servers.
It's not like they get l337 h4xx0rs to pwn their internal systems; they probably just have login credentials or permissions they shouldn't have, which aren't audited, and they can sneak things out in plain sight.
If China got OPM, they could easily get most of Twitter's DBs. Most likely through Nationals passing vulns back to home state intelligence agency, who can exfil data but not finger the moles.
You answered your own question yourself it that thread it seems:
> API hole explanation is excluded as people with 100% private accs got police visits.
Still, thanks for sharing, that's hell of a story. I don't speak Chinese and have no idea what's ShadowSocksR and why this Doubi guy was so hated by Chinese govt for that. Would appreciate more details.
> Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20.
Sounds like the other thing Balic discovered (not explicitly published here) is the rate limit below which Twitter's anomaly detection will not notice that you are using an interesting API endpoint.
> While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly.
It sounds like he spent two months extracting data through a flaw that's existed for years and then bragged about it after it got closed to his egregious usage.
Is this considered normal or ethical behavior for a security researcher?
Hopefully it wasn't just closed to him, but closed to everyone else too.
> Is this considered normal or ethical behavior for a security researcher?
weev did something similar (scraped 100k phone numbers from Apple, then shared them with a journalist) and was convicted and sentenced to 41 months in prison for it.
Yes, but the overturn wasn't based on urls, or scraping, or disclosure, or security, or damages, it was based on him being charged in the wrong state. The court system still thinks everything else about the case was fine.
accessing an API? I question how ethical what he did is, but I don't see how it is illegal. I think it's a lot like scraping, which LinkedIn failed to sue people for.
I doubt it's currently illegal, but I don't think it's impossible to make it illegal. Accessing the API enough to prove a flaw and report it is one thing. Getting 17 million PII records over the space of 60 days is orders of magnitude beyond that.
Especially given that things like GDPR and and the CCPA are drawing clear boundaries around private data and how companies can use it, it shouldn't be impossible to make laws that regulate how third parties access and use that data.
I'd also hope that Twitter faces regulatory penalties and perhaps civil liability depending on the harm done.
There's nothing white-hat about this. He accessed as much private data as possible, and didn't report the vulnerability to Twitter or to affected users.
Of course what Ibrahim did wasn't full disclosure either, so he shouldn't be fully congratulated. But bragging about it was better than keeping silent about it in this case.
This is a "feature", not a bug. Twitter keeps asking for phone numbers all the time and then suggests you also allow others to discover your account via phone number.
So this guy merely enumerated a lot of phone numbers and found accounts of users who agreed to have their phone number publicly match their account.
Yeah. Not long ago I thought I can finally try Twitter, but 20 minutes in (just enough time to follow a couple of people and to start getting familiar with the UI) I found UI to be totally blocked by the demand I submit my phone or else. Naturally, I figured I don't need Twitter that much.
So to call a feature nobody asked for which they went a long way to introduce a "bug"... yeah.
Same thing happened to me when I just wanted to sign up to follow some esports organizations. It says a phone number is optional during signup, then a few minutes after I create my account it becomes locked and I get an automated message saying that I'm suspected of being a bot, and the only way to unlock it is by giving them my phone number.
The worst part about this is that twitter requires you to add a phone number. Why?? That’s very privacy hostile, since a phone number is very personal and identifiable.
And it’s like a bait and switch. They don’t require it at sign up, but within a short time they’ll lock your account until you add it.
a dark pattern because while it's not actually required it might as well be, their 'account locked' email conveniently leaves out that you can simply email them and have them re-enable the account without a phone number.
In order to continue safely using Twitter, please follow these steps:
1. Log in to your account on the web or open your Twitter app (iOS or Android).
2. You’ll see a prompt letting you know your account has been locked. Click or tap “Start”.
3. Select your country/region from the drop down menu, and then enter your phone number.
4. Click “Send code” and Twitter will send you a text message with a confirmation code (note that your standard message rates may apply).
5. Enter the code you received in the “Your code” box and click “Submit”.
6. You will see a confirmation message that your account is now unlocked.
Once you confirm your identity, it may take up to a few minutes for your account to be unlocked.
If you’re still experiencing an issue after confirming your identity, please reply to this message and provide us with specific details of the problem you're experiencing. We’ll do our best to help!
Thanks,
Twitter Support
If you reply to this saying you don't have a phone they will re-enable your account but there's no mention of that or "click here to verify account" option.
I had deleted my account and wanted to make a new one for a new business. When it asked me for a phone number, I clicked back.
It has been a year and it still takes me straight to the phone number form any time I click a link for twitter. I can't even log out or do anything else.
So now I must either provide the phone number, use Twitter incognito, or delete the cookies. My guess is that for the casual non-tech user this means they will never use Twitter again until they put in their phone number because it's not possible to back out.
I setup a Twitter account so I could easily get images off my PS4. Right afterward they locked my account for not entering a number. Today I feel justified for leaving it locked and never looking back.
In Russia you can pay several roubles (which you can deposit using bitcoin) to a service providing phone numbers for registration. Such services are usually used by spammers (sorry, I mean marketers and SMM people) to create multiple accounts on social networks, but can be used to protect one's privacy too.
Sadly, not all services are good. Many of them block SMS from banks, loan firms and payment systems and I don't want to support them.
You can buy accounts on the /r/BitMarket subreddit.
That arguably != "cannot". But you can get close by using Tor via nested VPNs to access Reddit. And by paying with some suitably anonymous cryptocurrency. Maybe well-mixed Bitcoin. Or some Etherium flavor, perhaps exchanged to Bitcoin.
Alternatively, some virtual SMS sites may still work for Twitter. Or there are sites where you can lease actual hosted SIM cards.
Approach a stranger who needs money, somewhere well out of view of any cameras. Pay them to buy a prepaid phone from Walmart or the like, using cash, on your behalf.
Sure. But activating such phones typically requires a telephone call. Or at least, it did the last time I tried it. And pay phones are now rare in the US.
Also, even if the phone is totally anonymous, you'll be geo-located as soon as you use it. By cell towers at least, and perhaps by WiFi and GPS.
There are countries that allow you to buy SIM cards without identification, even in bulk. (e.g. Ukraine) They are also sold on various platforms including reddit. You can even enumerate known ports for certain web interfaces (cough ACE *cough) and access them with default passwords.
I think these days, Twitter will suspend your account immediately after sing-up, for "suspicious activity", and require a phone number to re-enable it.
At this point it has to be on purpose, right? There is no way that Twitter has just overlooked this closing of accounts "for suspicious activity" for years right when the account is created.
I made one a week or two ago, followed some people, made a few tweets, and wasn't asked for a phone number. I wasn't even asked for a CAPTCHA.
I deleted the account a few days later because Twitter is dull and the entire point of what I was trying to do was see if the rumors of immediate account flagging were true. They don't seem to be.
I made one a few months ago and it immediately did the suspicious activity provide phone number b.s.
I've not tried again since, and considered twitter 100% off-limits after that experience since it's obviously just an effort to acquire phone numbers coupled to accounts and email addresses under the guise of "security".
When I had a Twitter account, I had to provide a fake number to continue using it, but I was active in different political discussions and that might be the reason. Twitter didn't explain why it required a phone number, except for saying it was necessary for security or something like this.
Also, Microsoft will require a phone number once you try to log into an Outlook email account from other IP address than you have signed up with. Again, it says the number is necessary to "secure an account from hackers" or something like this.
> Also, Microsoft will require a phone number once you try to log into an Outlook email account from other IP address than you have signed up with.
That's quite a good idea.. They're effectively using your IP as a 2nd factor auth for those people who refuse to use 2 factor. If, like many people, you have a static IP at home, and they whitelist IP's your sessions roam to, you may never need to log in from a new IP.
was the account you created with your personal information? because if you create a throwaway it will be flagged immediately, but if you use the image of a friend for example, you can continue for a couple of hours before getting flagged
Of course it is. If pressed, they will surely find a justification for it in reducing spam and bots. Less defensible is why they would wait to get a phone number until after you make an account.
And of course, try not to compare it with the Chinese rules requiring phone number verification for online accounts...
I recently started to use the "neo-banks" (fintech apps that may or may not be actual banks, mostly for payments). All of them offer an app and APIs and ways to discover which contacts use the same app via their phone number.
Immediately following this I received highly targeted phishing sms messages that included links to plausible looking login pages.
Perhaps this shouldn't be too surprising, but people will get burned and somebody will have to pay for it.
I think it was irresponsible to keep collecting more phone numbers, and I think he should've let Twitter handle informing users of this vulnerability. Had he used responsible disclosure, he could have claimed a nice bug bounty (between $280 and $2,940, according to [0]).
I'm always curious why these bug bounty programs for billion dollar companies pay so little.
Why not make this a 10K, 25K bounty even if it's small potatoes?
That amount is nothing to Twitter but might prevent what happened in this case (continued collection of data, public release before Twitter could notify users, etc).
I've noticed this trend of painfully cheap bounties at most other tech giants too.
I mean, there is a mix here, some genuine notes about how high bounties can cause coordinated breaches to farm income but also notes about how bounties shouldn't replace pen testing (I agree, but have both and don't, as a pen tester, just argue that more money should go to pen testing, it's way too self-serving) and a weird comment that having a low bounty and then overpaying for a return of privileged data if the compromise could expose that data is a bad idea because it encourages bad actors - if the bounty is 3k and the data is worth 30 mil then yea, bad actors will emerge because you're criminally underpaying for exploits.
Honestly, a lot of the reasons I'm seeing for lowering the payout of bounties seems to revolve around "It's too expensive"
Which serves the argument that instead of rewarding people for sharing vulnerabilities we should be punishing companies for having them. Harshly. The more data points a company tracks the faster the fine should approach 100% entire company market cap. Their subsidiaries, parent company's, board, and executives should also not be immune but rather personally liable for egregious cases of not knowing, failing to, or cutting corners around documented best practices, security patching, hardware rotation etc. The entire industry needs to be reworked to put security and make All pii hazardous.
Sadly software is going the way of construction. Things Will only change when tptb get inordinately effected.
There are a lot of unethical and illegal things that will earn more money than bug bounties. Some, like posting fake "elon musk giving away ETH" tweets, don't even require finding a security vulnerability. Twitter should increase their bounties to incentivize reporting and auditing, but they're never going to win a bidding war with state-sponsored vulnerability markets.
Exactly. And it's not even 3K, it's "280-2940", and well can be argued to be of low importance, because it's "a misused feature, and not a critical bug" (I remember exactly that happening with WhatsApp or Telegram — not sure which it was — after somebody brute-forced phone numbers to collect accounts exactly the same way; and unlike Twitter, they even have a less made-up reason to have your number). Even if you are relatively law-abiding person you have to be absolutely crazy to be expected to collect measly $300-3000 and restraint yourself from finding out Donald Trump's personal phone number.
When sites collect phone numbers to "find friends", there is always a chance that they will be leaked. And even worse, someone having enough resources will check all existing phone numbers and get a mapping between numbers and accounts.
This reminds me of a story posted on Russian site [1], where researchers managed to bypass Instagram's protection and find accounts by phone number. Sadly, I cannot confirm described method because their site requires a Google Account to find Instagram account by phone number. But if it's true it shows that even Facebook and thousands of its engineers cannot protect their users' data.
When you have a typical "find friends" feature, there is no way to secure it. Each friend can lookup a large address book of 1000 users, then very quickly the whole valid phone number space can be searched.
“ he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly”
What on earth does this actually mean? And why does he still have a verified Twitter account or an account at all when he exploited it for 2 months without informing them?
This must be the "Account Security Issue" Twitter e-mailed me about last week. I was wondering when they'd release more details: https://i.imgur.com/yjzMtLB.png
Transcription:
"SUBJECT: Twitter Account Security Issue – Update Twitter for Android
Hello,
We recently fixed an issue that could have compromised your account. Although we don’t have evidence that this was exploited, we can’t completely confirm so we are letting you know. You can learn more about this issue here.
Please update to the latest version of Twitter for Android as soon as possible to make sure your account is secure.
We’re sorry this happened and will continue working to keep your information secure on Twitter. You can reach out to our Office of Data Protection through this form to request information regarding your account security.
This was changed recently, you can remove your phone number and continue to get 2FA support. The developer dashboard however won't function without a phone number for whatever reason.
No. But you should be concerned if you choose to give your phone number to people, because if they know it they might leak it through any combination of malice or incompetence.
Other than my banks, none of the systems I've enabled MFA for required a telephone number.
That includes: Dropbox, GitHub, Slack, Facebook, Nintendo, Google, Login.gov and the Digidentity.eu variant of Gov.uk Verify.
Everywhere it was possible I used my FIDO Security Keys which are phishing proof, impractical to de-anonymise and foolproof because the site has no secrets to leak. Whenever I hear that a site I already used MFA for gained WebAuthn or U2F I go back and switch that site to Security Keys.
Everywhere else I used TOTP (Google Authenticator) which can be phished using a live proxy and the site could leak their copy of your TOTP secret (not the changing code, but the secret that drives it) but other than those two concerns it's pretty safe. At least nobody can work out your real world identity by knowing your TOTP secrets.
Not unless the service requires a phone number in order to enable MFA. Some providers require the phone number for "recovery" purposes once MFA is enabled very much defeating the usefulness. Countless times we've heard of a helpful AT&T / T-Mobile / Verizon employee forwarding texts or generating a new SIM card for a scammer with a fake ID. It's just too easy.
The particularly nice thing about FIDO Security Keys that's relevant here is even a hideously incompetent implementation doesn't hurt you. The Relying Party (in this case Twitter) doesn't end up with any secrets, they get an apparently random "cookie" value to give back to you when they want you to prove you've still got that key, and a elliptic curve public key that doesn't correlate to anything except your login on their site. If they screwed up so badly that the Twitter web site showed a user's U2F parameters to every single visitor looking at their tweets it not only wouldn't unmask any pseudonyms used (as a phone number definitely would) it wouldn't even make it easier to login in as that user. FIDO is the right thing everywhere that a second factor is needed, but even more so when you don't trust the implementers to do a good job.
Twitter currently, does not allow adding more than one U2F keys to an account. It’s normative to have at least one extra key for backup. Google, Github, even Facebook support adding multiple hardware tokens to an account, but not Twitter.
Also, if you try requesting for an API key, they insist that you add a phone number to your account.
When a website asks for a phone number i treat it as "please provide a DNA sample and birth certificate in triplicate" and close the tab. Its ridiculous to what ends consumers will go and accept as "privacy compromises". Hopefully GDPR will make these practices costly enough.
Did they report this breach as required by GDPR rules in the EUR? I can't imagine the GDPR rules don't reply to an American company when they are active in the EU? Especially, if they have (do they?) a branch in EU like for ads revenue or royalties to lessen the tax pay in Ireland or The Netherlands like Uber
Can this be an API leak which Chinese MSS used to track Chinese users?
It may well as be if we believe that API wasn't implementing discoverability restrictions from privacy settings, and only hid users on the UI level.
> Basically Twitter got pwned big time, and now denies it because GDPR will ruin them if breach is proven. Here is what Doubi's online followers figured:
> State security got all phone numbers used for Twitter phone verification up to May 2019 and possibly till July.
> Twitter haphazardly closed the breach in complete secrecy.
> API hole explanation is excluded as people with 100% private accs got police visits.
> People with foreign SIM cards also got into trouble. So the explanation that China compromised Twitter's SMS providers is also excluded, as its improbable that they did it in 4+ countries.
> 2016 breach is also out of question.
> The only explanation is that they got hold on a big piece of their user DB, or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily cooperated.