Experts at Twitter discovered a possible state-sponsored attack while they were investigating an information disclosure vulnerability affecting its support forms. The experts discovered that the attack was launched from IP addresses that may be linked to nation-state actors.
The flaw affected a support form that could be used to contact Twitter in case of problems with an account. The flaw could have been exploited to obtain the country code of a user’s phone number and determine whether or not the account had been
An account could be locked if it violates rules or terms of service, or if the account was compromised. The social media platform fixed the flaw on November 15, in just 24 hours.
The experts noticed a suspicious activity related to the API associated with the flawed customer support form.
“During our investigation, we noticed some unusual activity involving the affected customer support form API.” reads a blog post published by Twitter.
“Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.”
Twitter, like many other social media platforms, are a privileged target for state-sponsored hackers that could use them for online propaganda and spread fake news.
In November, the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party. The expert was awarded $2,940 for reporting the bug to the company under the bug bounty program operated through the HackerOne platform.
(SecurityAffairs – intelligence,hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.