Twitter has confirmed its platform was hit by a suspected state-sponsored attack last month, with a host of malicious actors taking advantage of a bug to harvest users' phone numbers.
In a statement released yesterday, the social networking platform said it became aware of a host of bugs being exploited by IP addresses based in China and Saudi Arabia and noticed unusual activity involving an affected customer support form API.
Requests made from these IP addresses, which Twitter has highlighted as being associated with state-sponsored actors, targeted the support form which reports issues to Twitter staff.
Two bugs, flagged on November 15 and fixed the following day, allowed an attacker to access a user's phone number and country code, as well as establish whether or not their account had been locked by Twitter.
"Since we became aware of the issue, we have been investigating the origins and background in order to provide you with as much information as possible," the company said in a statement.
"Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia.
"While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors."
Twitter said that no action was required by account holders and that the firm has informed law enforcement of the findings of its investigation.
The second bug, which allowed malicious actors to view whether a user's account had been locked, may seem relatively inane, but accessing a user's registered phone number constitutes a far more serious breach of privacy.
Throughout its history, the social networking platform has been ripe for exploitation by state-sponsored actors, as well as cyber criminals.
Researchers, for instance, outlined earlier this year how threat actors established a three-tier 'crypto-giveaway' botnet on the platform comprising millions of fake accounts.
The platform is also facing a General Data Protection Regulation (GDPR) probe over the handling of a user's subject access request (SAR), which Twitter had refused to comply with on the grounds it would take 'disproportionate effort'.
-
Cisco takes aim at AI security at RSAC with ServiceNow partnershipNews The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
-
Why veterans can excel in data centers – and could help the IT sector address its skill shortagesIn-depth Ex-military workers can bring software and hardware to civilian roles
-
Should your business start a bug bounty program?In-depth Big tech firms including Google, Apple and Microsoft offer bug bounty programs, but can they benefit smaller businesses too?
-
OpenAI to pay up to $20k in rewards through new bug bounty programNews The move follows a period of unrest over data security concerns
-
Windows 11 System Restore bug preventing users from accessing appsNews Microsoft has issued a series of workarounds for the issue which is affecting a range of apps including Office and Terminal
-
Windows 10 users encounter ‘blue screen of death’ after latest Patch Tuesday updateNews Microsoft said it is working on a fix for the issue and has offered users a temporary workaround
-
SpaceX bug bounty offers up to $25,000 per Starlink exploitNews The spacecraft manufacturer has offered white hats immunity to exploit a wide range of Starlink systems, with a dedicated report page
-
Microsoft announces lucrative new bug bounty awards for M365 products and servicesNews The new awards will focus on scenario-based weaknesses and offer bonuses of up to 30% for the most severe bugs
-
Adobe forced to patch its own failed security updateNews Company issues new fix for e-commerce vulnerability after researchers bypass the original update
-
Google doubles bug bounty rewards for Linux, Kubernetes exploitsNews The increased rewards are said to align better with the community's expectations of a bug bounty programme of this kind
