Hackers linked to some sovereign states have used a Twitter vulnerability to get their hands on users' phone numbers. This is the last case in which social networks have been used as a terrain for collecting personal data: a practice that is called "scraping" and that usually ends up by exploiting the information obtained - as in the striking case of Facebook and Cambridge Analytica - or with their sale on the dark web black market.
To turn the spotlight on the episode was Twitter itself, which ensured that it suspended "fake" accounts used to steal the data "immediately". The discovery dates back to December 24, although it has only been made public now "as a precaution and as a matter of principle".
On that date, the company explained in a note, "we realized that someone, through a large network of fake accounts, was using our API (the programming interface of an app, editor's note) to match usernames to phone numbers". "The accounts dedicated to these activities were located in many different countries, but we found a particularly high volume of requests from individual IP addresses located in Iran, Israel and Malaysia. It is possible that some of these IP addresses - it says - may have ties with subjects supported by the State ".
To be exploited by attackers is the vulnerability in a function, now corrected by Twitter, which helps those who create a new account to find users they already know. The users exposed to the vulnerability are only those who have enabled the "Allow users who have your number to find you on Twitter" option, and who have associated a phone number with their Twitter profile. The company has not disclosed the number of users potentially involved.
On the same 24 December last, the American TechCrunch site had given the news of a security researcher, called Ibrahim Balic, who had managed - for demonstration purposes - to match 17 million phone numbers to as many Twitter users using that vulnerability.
"Social networks have long been one of the most exposed fronts to cyber attacks that put users' security and privacy at risk", says Gabriele Faggioli, head of the Information security & privacy Observatory of the Milan Polytechnic and CEO by P4I-Partners4Innovation. "The Twitter case is only the latest in a series of facts involving several social networks, not surprisingly recently the subject of important interventions by the American and European authorities".
Last August, for example, Instagram announced that it had thrown out of its platform a marketing startup, Hyp3r, discovered to illegally collect user data such as photos or geographic position in order to show them a more targeted advertising. . The most striking case, however, remains that of Cambridge Analytica, a British consultancy company that ended in a scandal - and then bankrupt - for having got its hands on the data of 87 million Facebook users, used to convey political spots in the British referendum campaign on Brexit and the 2016 US presidential election.