Skip to content

Twitter code flaw exposed accounts for nearly a year

  • by
  • 2 min read

A flaw in Twitter’s code regarding how it handles logging in has allowed hackers to link accounts with registered email addresses, potentially exposing the account owner. 

The way this works is by exploiting how Twitter dealt with failed login attempts. Every time a user logs in with an email address or phone number, regardless of whether or not the password is incorrect, Twitter tells them that the password is wrong and then shows the Twitter account associated with that email or phone number if it exists. 

The company disclosed the flaw already last Friday, apologising for the inconvenience caused and explaining that the issue was fixed upon discovery. Twitter claims that it discovered the flaw earlier in January after receiving a report through its bug bounty program. 

How to download Twitter videos? Top 7 Twitter video downloaders

The bug resulted from an update to the codebase made in June 2021. The company immediately fixed the issue but found no evidence of any exploits. Later in July this year, Twitter learned through a press report that the vulnerability had been explored and the information collected was being sold. After reviewing a sample of the data that the threat actor was selling, Twitter could confirm that the vulnerability had been exploited before it was patched. 

The company claims it’ll be directly notifying users it can confirm were affected by the exploit. That said, it also stated that it won’t be able to confirm every account that was potentially impacted. According to the company’s update, no passwords were exposed but has suggested that people using pseudonymous Twitter accounts not add a publicly known phone number or email address to their accounts.  

While it’s not exactly a huge breach, the disclosure comes at a time when the company has its hands full in a legal battle with Elon Musk as it tries to force Musk to make good on his $44 billion deal to buy the micro-blogging platform.

In the News: China issues its first fully driverless taxi licenses to Baidu

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>