Twitter API Bug Exposes Users’ Country Codes

Written by

Twitter has been forced to issue an alert that an unknown number of users may have had their location uncovered by possible state-sponsored attackers.

The social networking giant claimed it became aware of an issue with one of its support forums in mid-November and fixed it a day later on the 16th.

“This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter,” it explained. “We lock an account if it appears to be compromised or in violation of the Twitter Rules or our Terms of Service.”

The first issue could be serious because, although full phone numbers weren’t revealed in the privacy snafu, the location of affected users could be inferred.

This takes on a more sinister hue when one considers who may have been behind the attack.

“During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia,” Twitter continued.

“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.”

Intelligence agencies in repressive regimes could benefit from knowing where rights campaigners, journalists and others operating online are based.

Twitter has directly informed all those it believes to be affected, but is taking the extra step of publicizing the information in case there are other account holders it can’t identify who have been impacted.

What’s Hot on Infosecurity Magazine?