A flaw in Twitter’s code regarding how it handles logging in has allowed hackers to link accounts with registered email addresses, potentially exposing the account owner.
The way this works is by exploiting how Twitter dealt with failed login attempts. Every time a user logs in with an email address or phone number, regardless of whether or not the password is incorrect, Twitter tells them that the password is wrong and then shows the Twitter account associated with that email or phone number if it exists.
The company disclosed the flaw already last Friday, apologising for the inconvenience caused and explaining that the issue was fixed upon discovery. Twitter claims that it discovered the flaw earlier in January after receiving a report through its bug bounty program.
The bug resulted from an update to the codebase made in June 2021. The company immediately fixed the issue but found no evidence of any exploits. Later in July this year, Twitter learned through a press report that the vulnerability had been explored and the information collected was being sold. After reviewing a sample of the data that the threat actor was selling, Twitter could confirm that the vulnerability had been exploited before it was patched.
The company claims it’ll be directly notifying users it can confirm were affected by the exploit. That said, it also stated that it won’t be able to confirm every account that was potentially impacted. According to the company’s update, no passwords were exposed but has suggested that people using pseudonymous Twitter accounts not add a publicly known phone number or email address to their accounts.
While it’s not exactly a huge breach, the disclosure comes at a time when the company has its hands full in a legal battle with Elon Musk as it tries to force Musk to make good on his $44 billion deal to buy the micro-blogging platform.