{"id":14125,"date":"2018-12-20T15:30:38","date_gmt":"2018-12-20T23:30:38","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/12\/20\/news-7892\/"},"modified":"2018-12-20T15:30:38","modified_gmt":"2018-12-20T23:30:38","slug":"news-7892","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/12\/20\/news-7892\/","title":{"rendered":"Flaw in Twitter form may have been abused by nation states"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Wed, 19 Dec 2018 16:00:00 +0000<\/strong><\/p>\n

Twitter\u00a0announced in a blog post<\/a>\u00a0on Monday that they discovered and addressed a security flaw on one of their support forms. The discovery was made on November 15 \u2014 more than a month ago \u2014 and was promptly fixed the next day. From the Twitter blog on this issue:<\/p>\n

\n

We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account. This could be used to discover the country code of people\u2019s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.<\/em><\/p>\n<\/blockquote>\n

They go on to add:<\/p>\n

\n

Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted.<\/em><\/p>\n<\/blockquote>\n

Country codes, take me home<\/h3>\n

While a country code isn\u2019t treated or considered by many as sensitive information, some warn<\/a>\u00a0that it is enough to clue in attackers on whether a registered mobile number (with country code) is associated with a Twitter account. This means that cybercriminals could find the true country locations of Twitter users. This could be dangerous for those in countries with freedom of speech\u2013related privacy concerns.<\/p>\n

Twitter is currently investigating the possibility that the flaw may have been abused by potential nation-state actors, particularly<\/a>\u00a0from IP addresses associated with Saudi Arabia and China.<\/p>\n

As if this weren’t enough of a headache for the social media giant, Peerzada Fawaz Ahmad Qureshi, an independent security researcher who goes by @Fawaz<\/a> on Twitter, has stepped forward<\/a>\u00a0to disclose that he had reported the flaw to Twitter via HackerOne, a bug bounty<\/a>\u00a0platform, more than two years ago. Twitter took no action, however, deeming the bug as non-critical before marking the report an \u201cinformative\u201d one.<\/p>\n

Wait! That’s not all<\/h3>\n

This announcement comes hot on the heels of a Trend Micro report<\/a>\u00a0about malicious Twitter users abusing the social media platform to stealthily communicate with malware using\u00a0stenography<\/a>, the method of hiding messages in images. In this case, the malicious actors have hidden commands in memes found in every nook and cranny of Twitter\u2014hiding-in-plain-sight at its finest.<\/p>\n

This isn’t the first time Twitter has been used as a comms hub for malware. Back in 2009, a DIY botnet kit<\/a> was discovered that brought social media\u2013controlled infection hijinks to the masses, allowing malware authors with rudimentary skills to use Twitter to send commands.<\/p>\n

Stock, drop, and roll<\/h3>\n

Outside of bot action, the news of Twitter\u2019s investigation triggered a dramatic drop<\/a>\u00a0in the company’s stock share prices. It promises to be a rollercoaster-ride ending to 2018 for those trying to keep both Twitter and its users safe from harm.<\/p>\n

If you use the social media platform and are worried about potential breach, Twitter’s advice is simply: do nothing. While these mishaps may have been close calls instead of direct hits, one hopes that in 2019, we’ll all be a little more proactive\u2014and a lot more reassured\u2014about using our favorite portals and communication channels safely.<\/p>\n

The post Flaw in Twitter form may have been abused by nation states<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Wed, 19 Dec 2018 16:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Twitter announced in a blog post\u00a0Monday that they discovered and addressed a security flaw in one of their support forms. The discovery was made on November 15\u2014more than a month ago\u2014and promptly fixed the next day. So why are we only hearing about it now?<\/p>\n

Categories: <\/p>\n