Twitter revealed that a July data breach that put millions of user accounts up for sale was the result of an exploited zero-day vulnerability.
In late July, someone identified only by the handle “devil” posted on Breached Forums that he had 5.4 million Twitter user accounts and was selling their data for US$30,000. report By Restoring Privacy.
Twitter has confirmed that a zero-day vulnerability first discovered in January 2022 was exploited to obtain account data.
with the naked eye published last weekTwitter said it was notified of the issue through the Hacker One bug bounty program.
According to the company, the July 2021 software update contained a user enumeration bug.
An attacker with knowledge of this bug could use the phone number to determine if a user account exists.
As “zhirinovskiy” explained in the Hacker One report, this bug means that attackers can discover Twitter accounts by phone number or email address “even if the user forbids this in their privacy options.” was doing.
“This bug exists due to the authorization process used by Twitter’s Android client, specifically the process of checking for duplicate Twitter accounts.”
Zhirinovskiy was paid US$5040 (A$7273) for the report.
As confirmed in a Twitter post, the bug “whether or not someone enters a phone number or email address into the login flow, and if that information is associated with an existing Twitter account, and if so, which one. It made it possible to know if it was a specific account.”
Email can be used in the same way, the Twitter post said.
“When we learned about this, we immediately investigated and fixed it,” Twitter said.
“In July 2022, we learned through press reports that someone may have taken advantage of this and offered to sell the compiled information.
“After reviewing a sample of available data for sale, we have confirmed that malicious individuals were exploiting the issue before it was resolved.”
Twitter said it made the post public because it was unable to contact all affected users, especially those who maintained pseudonymous accounts.
Twitter zero-day bug exposed account data – security
Source link Twitter zero-day bug exposed account data – security