Nation-state attackers fingered for exploiting bug in Twitter's anti-troll tools

Just days after Twitter released its latest Transparency Report, the company quietly announced that state-sponsored hackers may have abused a recently discovered bug in one of its anti-troll support forms. 

The bug allowed attackers, which used a bunch of IP addresses from China and Saudi Arabia, to uncover the country code of a user’s phone number if they had linked that number with their Twitter account. The bug also exposed whether or not Twitter had locked an account. 

"We observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors," Twitter said in a help center page about an “issue” affecting the application programming interface (API) of one of its support forms.

“We lock an account if it appears to be compromised or in violation of the Twitter Rules or our Terms of Service,” Twitter explained, stressing the API bug “did not expose full phone numbers or any other personal data.”

“We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” Twitter said. 

If the attackers are indeed state-sponsored it could mean the attackers have exploited processes Twitter has used to purge state-backed trolling on its platform. 

The account lock process and the support form for unlocking a locked account has been a key component of Twitter’s response to criticism against it, Facebook and Google over their handling of Russian-connected trolling in the lead up to the 2016 US presidential elections. 

Since the election, Twitter has locked hundreds of thousands of suspected bot accounts. Its process for establishing a locked account is not a bot involves challenging account owners to provide a real phone number so that it can confirm a human is behind it. 

After entering a phone number, Twitter sends the user a verification code that requires the user press a “Submit” button to unlock an account.  

Mass account lockouts angered US conservatives in February after right-wing Twitter users noticed thousands of their followers suddenly vanished. Twitter defended its lockout as part of its efforts to clamp down on abuse, and stressed its tools were “apolitical”.   

Twitter’s latest Transparency report, covering the January to June of 2018, revealed it had delivered challenges to 232 million accounts during the six month period. 

Twitter's bot account challenges totaled between 30 million to 40 million accounts per month in the period, meaning each month it challenged around 10 percent of its 326 million active monthly users, based on Statista figures. Twitter said that around 75 percent of accounts failed to pass its challenges and were suspended.

“Our primary goal on this front is to identify and challenge accounts engaging in spammy or manipulative behavior before users are exposed to misleading, inauthentic, or distracting content,” Twitter notes in the transparency report. 

Twitter has told users who are worried they may have been affected to complete its Data Protection Inquiry Form. 

“We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. We are sorry this happened,” said Twitter.