Case Study: Twitter in 2022

Written in 2023

Executive Summary:

Early in 2022, social media giant Twitter were made aware of a vulnerability, but were too late to patch it before threat actors exploited it and eventually leaked the data of over 200 million users. Within twelve months of the vulnerability being patched, there had been multiple high-profile leaks that can be traced back to the initial vulnerability. Twitter have stated the leaks are not due to enumeration after the patch, but are datasets obtained prior to Twitter knowing of the vulnerability. The purpose of this report is to explain in detail the risk, threat and vulnerability that links these twelve months of data breaches.

The Risk And The Threat:

Cyber threat actors are regularly attempting to access and steal data from large companies such as Twitter. If a threat actor obtains user information they can sell that data on the dark web, where it can be purchased for targeted advertisement purposes, or for more malicious and damaging purposes, with high-profile users such as government officials and celebrities being more valuable. Alternatively, a threat actor can hold the data for a ransom to be bought back by the company the data was stolen from, as seen in recent Twitter incidents. Any successful cyber attack on a company where personal data is stolen can cause a reduction in public trust towards the company.

The Vulnerability:

To alleviate the need to have a large number of cyber security professionals constantly testing for vulnerabilities, Twitter uses the bug bounty program Hacker One, where anyone can be paid to find a vulnerability and provide a detailed report of how to recreate the issue. In January 2022 a user by the name of ‘zhirinovskiy’ reported a vulnerability on the HackerOne platform. The vulnerability involved an issue with Twitters application programming interface (API) and allowed anyone to obtain the Twitter ID of any user when searched against a database of email addresses and phone numbers, even if the user had specificly denied that permission in Twitter’s privacy settings (zhirinovskiy, 2022). Where this had high potential impact is that a threat actor with basic coding skills would be able to enumerate this to discover the Twitter ID of upwards of a million users at once, which could be sold as a database for advertising or more malicious use.

The Incident(s):

In July 2022, a threat actor by the alias of ‘devil’ posted on a breach forum claiming they had a database of 5.4 million Twitter IDs with corresponding email addresses and phone numbers that were later verified to have been obtained using the vulnerability identified seven months prior.

Five months later, a separate threat actor by the alias of ‘Ryushi’ posted in the same forum claiming they had a database containing the same information for over 400 million users. It was also claimed to have been obtained using the same method and was for sale for USD$200,000 with a note to Twitter’s CEO Elon Musk claiming that price would be far cheaper than the fines his company would face for the data breach (Powell, 2023).

Actions Taken:

Upon receiving the vulnerability report, Twitter triaged and then patched the issue, whilst also paying zhirinovskiy US$5040 for the bug bounty. They then confirmed with zhirinovskiy the patch was successful. The bug bounty system has proven benefitial for Twitter, having paid over US$1.5 million in bounties to over 1000 hackers in order to fix over 1500 bugs.

In January 2023, Twitter released a statement on their blog regarding these incidents. In this statement, they deny that the incidents occurred as a result of exploiting this vulnerability after Twitter had patched it. Instead, Twitter have stated “there is no evidence the data being sold online was obtained by exploiting a vulnerability in Twitter systems” (Twitter, 2023). Twitter also stated that two of the datasets were the same, except one had duplicate data in it.

Results:

Twitter is still currently under investigation by the Data Protection Commission (DPC) as to whether or not Twitter had complied with its obligations as controller to protect user information in accordance with the Data Protection Act 2018 (DPC, 2022). If the DPC finds an infringement of the act, Twitter would be liable and required to pay a fine. Based on what Meta (Facebook) paid in a similar case, it could be a fine exceeding US$200 million. Whilst Twitter has denied this vulnerability being exploited, many believe the data being sold online was obtained using the same method zhirinovskiy outlined in their initial report to Twitter, a claim that has been verified by the owner of the site of which the data was being sold on, Breach Forums. Regardless of how the data was scraped, the undeniable fact is millions of Twitter users had their privacy breached, which caused Twitter shareprices to fall and a reduction of public confidence in the social media platform. In order to prevent this from happening in the first place, or at least reduce the risk, Twitter needs more staff to be checking submissions to their own bug bounty program. The vulnerability was reported on the 1st of January, but wasn’t acknowledged by Twitter until seven days later, with a further seven days until they considered the vulnerability patched and the issue resolved. It is unknown how long the vulnerability existed prior to zhirinovskiy reporting it; however, a week to see the report and a further week to fix does not seem appropriate for the level of risk severity. Furthermore, after the vulnerability was patched or at a minimum after the first data breach, Twitter should have mitigated the damage by providing new Twitter IDs for affected members to invalidate the stolen data.

Conclusion:

As of May 2023, Twitter is yet to take ownership of these incidents, they have acknowledged the breach, but have assumed the role of a victim, when they themselves are responsible for protecting the personal information of their users, especially when this vulnerability allowed threat actors to bypass the security settings users selected to ensure their account was not discoverable by using email addresses and phone numbers as a search query. Twitter had (and still have) a terrific bug bounty system, but failed to capitalize on it’s capability with poor response times. Twitter failed to adequately mitigate the risk by having the API vulnerability, but furthermore failed to mitigate the damage caused by the risk eventuating.

References:

DPC. 2022. Data Protection Commission launches inquiry into Twitter concerning datasets [Online]. Data Protection Commission. Available: https://www.dataprotection.ie/en/news-media/data-protection-commission-launches-inquiry-twitter-concerning-datasets [Accessed].

POWELL, O. 2023. Investigation launched into Twitter after 400m user details posted on hacking forum [Online]. Cyber Security Hub. Available: https://www.cshub.com/attacks/news/investigation-launched-into-twitter-after-400m-user-details-posted-on-hacking-forum [Accessed].

TWITTER. 2023. Update about an alleged incident regarding Twitter user data being sold online. Available from: https://privacy.twitter.com/en/blog/2023/update-about-an-alleged-incident-regarding-twitter-user-data-being-sold-online.

ZHIRINOVSKIY 2022. Discoverability by phone number/email restriction bypass. Hacker One.