Twitter leaks friends and family information.

I don’t use twitter. This evening someone (who’s IP seems to be in Morocco) signed up for a stupidly named twitter account (i.e. unlikely to be an accidental sign up) using my email address.

I got the “Please verify your twitter email address” message and ignored it. However I did the reset password option to gain access to the account and was amazed to see that, even though the account pages show my e-mail as unverified… Twitter is somehow matching up all my potential friends and displaying them.

I presume this is because my friends have given Twitter access to their address books and Twitter now sees my (unverified) email address and shows me that I might want to become friends with them on twitter.

This raises some pretty worrying security problems. If you wanted to find out contacts close to a victim, and you knew your victim didn’t use twitter, you can just sign up an account and see a recommendation / list of all their personal and business social contacts. You could then just take those names and use them in the future for some other social engineering, or start twitting as the victim and trick the victims contacts (after all, how would some random person know who to add etc,).

twitter leaks contacts without verification
All the suggested contacts (scrolls for pages) are pretty much all my family and customers! It scares me that any random person can access this data without verification that they own my email address.

In my view this is a pretty horrible leak of information. Twitter should really be hanging on to the recommendations based on e-mail address until the e-mail address is positively confirmed.

UPDATE: This has now been tested without doing the “password reset” step! It still works and shows you the victims family, friends and customers / clients etc.

UPDATE 2: It looks like you can even exploit this by just editing your email address in twitter without the need to sign up. Change your email address to the victim, go to suggested people to follow and off you go!

Update 3: 27th November 2015 – Another one of my e-mail addresses was just signed up to twitter too. This time the source / creation IP was an IP address in Vietnam. I believe that something creepy is happening on twitter. Hackers attempting to find high value targets or government attempting to social map people?

This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Twitter leaks friends and family information.

  1. jayaradha says:

    If you report this to twitter’s bug bounty program you can get it fixed and receive some money. Looks like a valid issue.

  2. I think I’m disqualified immediately due to posting this. Cat is no longer in the bag, possibly never was if the person who signed up as me was after my social contacts.

  3. Pingback: Twitter może ujawnić Twoje kontakty – szczególnie gdy nie masz na nim konta | Zaufana Trzecia Strona

  4. Pingback: Myshar | Reading Materials – Issue 6

Comment on this topic

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s