RestorePrivacy verified with the hacker “devil” that the information in the database is legitimate and was told that they are selling it for “nothing lower than 30k.” The researcher confirmed that the vulnerability was fixed that same day. Twitter acknowledged the issue on January 6, paid a $5,040 bounty and resolved the vulnerability by January 13. Short: this can lead to a loss of privacy for many users.” Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities. “This is a serious threat, as people can not only find users who have disabled discoverability by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). TWEETADDER FORUM ANDROIDThe bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” the researcher, who goes by “zhirinovskiy,” explained. “The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The researcher explained that the vulnerability allowed an attacker to “find a twitter account by it’s phone number/email even if the user has prohibited this in the privacy options.” Researchers immediately tied the post to a vulnerability in Twitter’s platform that was discovered in January by a security researcher who reported the issue through the HackerOne site. The hacker claimed in the post on Breach Forums that the accounts range from “celebrities, companies, randoms, OGs, etc.” Twitter said it is investigating the authenticity of a batch of information connected to 5.4 million accounts that is being sold on a hacking forum.įirst reported by RestorePrivacy, the hacker – going by the name “devil” – is offering email addresses and phone numbers connected to the accounts. Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |