Twitter keeps doing what it always does—making mistakes, then fixing them after serious damage has been done. This year, a new vulnerability in Twitter’s database was found, endangering the anonymity and privacy of private and fictional accounts.
Twitter has known about the issues for some time, but they weren’t addressed until yesterday (06/08/22) in a quick article on the weakness that claimed the vulnerability had been resolved.
“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account and, if so, which specific account.” The article stated.
The flaw was identified by Twitter at the beginning of this year, and they said that it was instantly fixed and probably resulted from their upgrade in June 2021.
“At the time, we had no evidence to suggest someone had exploited the flaw,” Twitter said.
After the bug’s six-month patch, 5.4 million private and fictional accounts, including “celebrities and corporations,” according to a tip from a bounty bug researcher, were allegedly displayed on a hidden website.
“We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” said Twitter.
Twitter advised users to enable two-factor authentication at the end of the message in order to protect their accounts from future assaults.
A similar issue cropped up in 2020, in which both the content of direct messages and the identity of the account owner were made public. This problem impacted users of Android and iOS 8 and 9. Twitter claimed to have solved the flaw, although there was no evidence to support this claim.
