I don’t use twitter. This evening someone (who’s IP seems to be in Morocco) signed up for a stupidly named twitter account (i.e. unlikely to be an accidental sign up) using my email address.
I got the “Please verify your twitter email address” message and ignored it. However I did the reset password option to gain access to the account and was amazed to see that, even though the account pages show my e-mail as unverified… Twitter is somehow matching up all my potential friends and displaying them.
I presume this is because my friends have given Twitter access to their address books and Twitter now sees my (unverified) email address and shows me that I might want to become friends with them on twitter.
This raises some pretty worrying security problems. If you wanted to find out contacts close to a victim, and you knew your victim didn’t use twitter, you can just sign up an account and see a recommendation / list of all their personal and business social contacts. You could then just take those names and use them in the future for some other social engineering, or start twitting as the victim and trick the victims contacts (after all, how would some random person know who to add etc,).
All the suggested contacts (scrolls for pages) are pretty much all my family and customers! It scares me that any random person can access this data without verification that they own my email address.
In my view this is a pretty horrible leak of information. Twitter should really be hanging on to the recommendations based on e-mail address until the e-mail address is positively confirmed.
UPDATE: This has now been tested without doing the “password reset” step! It still works and shows you the victims family, friends and customers / clients etc.
UPDATE 2: It looks like you can even exploit this by just editing your email address in twitter without the need to sign up. Change your email address to the victim, go to suggested people to follow and off you go!
Update 3: 27th November 2015 – Another one of my e-mail addresses was just signed up to twitter too. This time the source / creation IP was an IP address in Vietnam. I believe that something creepy is happening on twitter. Hackers attempting to find high value targets or government attempting to social map people?