This week, we check out a recent API vulnerability in Twitter. In addition, it looks like API vulnerabilities are a bit of a theme in apps by political parties: vulnerabilities were discovered in apps by Israel’s Likud and the Democratic Party in the USA. We also have two API security talks: one recorded and one upcoming webinar.
Twitter has disclosed a recent API exploit. The API endpoints to make finding friends in Twitter by their phone numbers easier were abused, possibly by state-sponsored actors, to mine accounts by mapping them to phone numbers. Detecting and throttling the exploit was hard because the phone numbers were not sequential and attackers used multiple accounts and IP addresses in their attacks.