Twitter reportedly did nothing about a bug discovered two years ago that exposed the phone number codes of people around the world. At the time, the company's support team closed the bug report stating it did “not appear to present a significant security risk.”
Security researchers now say Twitter did nothing to prevent the problem after the report, leaving the bug active for two years. Furthermore, the social network has confirmed the flaw may have been exploited by bad actors representing a country.
“We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account,” the company admits.
“This could be used to discover the country code of people's phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.”
The bug was originally reported by Peerzada Fawaz Ahmad Qureshi only for the report to be described as “informative”. On Monday, Twitter disclosed the bug. Qureshi has now exposed the company by saying he warned them about it two years ago.
While his report was called uninformative, Qureshi sent it to TechCrunch. It highlights how he was able “to map out whether a mobile number is attached to a Twitter account including the country where the mobile number is registered by identifying the country code.”
Additionally, the bug report was thorough enough to detail how an attacker could get a country code from someone's account. This was achieved through Twitter's reset password function. When selecting forgotten password, users can choose “I don't have access” to an email address for the locked out account.
Twitter then presents a form that gives users the chance to enter their phone number to reset their password. However, the form would automatically include the user's country code. This would mean anybody could pretend to reset the password of any user and find which country they are in.
It is worth noting that only a country code would be leaked and not the full phone number. Still, a bad actor could see the country of the account holder, which critics say could be a problem for users in countries that limit the sort of free speech Twitter offers.
For what it's worth, Twitter says it fixed the bug the day after it discovered it on November 15. While the bug is no longer active, the company clearly made a mistake not taking the original bug report two years seriously.