In what looks to be an oversight by Twitter’s security team, the social network may be leaking information about your family or friends to strangers that attempt to impersonate you.
If you sign up for a Twitter account using the email address of someone who has never signed up for Twitter, you won’t get very far, of course. The owner of the email address will have to confirm the creation of the account via an email link sent to his or her inbox first.
Videos by VICE
But what if the point isn’t impersonation, but reconnaissance? If it’s the latter, you can learn a lot about an account’s family and friends without having to confirm the creation of a new account, according to a post on thecomputerperson blog, and verified by Motherboard.
To illustrate what’s happening here, I created a new Twitter account with my Vice email, which has never been linked to a Twitter account. Twitter immediately suggested I follow the accounts of writers I’ve previously emailed with—four out of five were the top suggestions—and I didn’t have to confirm my email to view this information.
I also tried signing up for new accounts using the emails of four additional colleagues. Two showed known contacts within the first few results, while the other two did not.
According to Twitter’s own support page, “If someone has uploaded their contacts to Twitter, and your email address or phone number is included in their contacts, we may suggest you follow them.”
In practice, this means that an abuser or harasser could attempt to sign-up for a Twitter account using an email address that belongs to a target, but has not been registered on Twitter—perhaps an alternate account, or a work account in my case. Using Twitter’s suggested user feature, an attacker could glean the identities of some friends, family members, and other close contacts who have registered for Twitter, and have also allowed Twitter to access their contacts (which, presumably, contain the target’s email). These people could then be targeted for further abuse, social engineering, or harassment.
There are, of course, many suggestions that have no relation to the email address used—popular accounts, or accounts chosen based on the location you attempt to sign-up from, for example—and it’s not clear how these suggestions are ordered. But in my case, at least, separating actual friends and family from more general suggestions would not take much work.
Ideally, Twitter should prevent new accounts from being able to see suggested users until the email that was used to register the account has been confirmed. But until then, the best thing to do, if you haven’t already, is to turn off the privacy setting that lets other users find you by the email or phone number associated with your account. That will stop anyone—a registered user or not—from finding your account, aside from knowing your handle.
Motherboard has reached out to Twitter for comment, and will update this post when the company replies.