According to Twitter, a security vulnerability allowed an attacker to enter a phone number or email address into the login flow in an attempt to determine whether such information was linked to an existing Twitter account, if any.
The flaw was introduced as part of a code update to the platform in June 2021. It was disclosed in January 2022 by a security researcher and patched after being reported through Twitter’s bug bounty program.
” When we found out, we immediately investigated and fixed the issue. At that time, we had no evidence to suggest anyone had taken advantage of this vulnerability. “, writing Twitter.
Exploitation of the vulnerability before correction
However, last month, a report by Restore Privacy indicated that the vulnerability in question exposed the data of more than 5.4 million Twitter accounts. The compiled data was traded on a forum frequented by cybercriminals for an amount in the order of $30,000.
Source : Restore Privacy
” After reviewing a sample of data available for sale, we have confirmed that a malicious actor took advantage of the issue before it was fixed. “, announces Twitter without however specifying the number of accounts impacted.
” We will notify account owners directly who we can confirm have been affected by this issue. […] We are unable to confirm all accounts that have been potentially affected, and we are particularly mindful of individuals with accounts with the use of pseudonyms that may be targeted by state or other actors. “
Twitter recommends enabling two-factor authentication and recommends that accounts that use pseudonyms not add a publicly known phone number or email address.
.
The post a 0day vulnerability exposed accounts appeared first on Gamingsym.