|
|
|
|
|
|
by danso
4350 days ago
|
|
|
OK, I see that the flaw was that the phone number was revealed to a user when, after installing the Twitter for iPhone app, wanted to specify that the code be sent via text to a phone number...And the Twitter app reminds the user -- who again, has successfully entered the password -- what number the message goes to. So, if you're thinking, what kind of dumbass would need to be reminded what phone the code was going to?...well, the OP for starters. In fact, he recommends readers to get Google Voice numbers (ooh, another attack vector/dependency, but let's ignore that for now)...so, if you're such a user, who has a phone and some burner numbers, and you tell the Twitter app to send a reminder to your phone number...and nothing comes...that's going to seem like a point of failure. And IMO, that situation is going to be much more likely than the case of a user telling the world his password and username. Also, it seems more likely than phishers doing something more damaging than getting phone numbers after manually going through the phone app for each password stolen...My impression is that such phishers do not typically rely on manual methods, especially if by doing so, they don't get access to the target account...seems like a low return on investment of effort. |
|
|
Plus, at the very least you could just reveal the last 2 digits of the phone number upon request. That's still side-channel data leakage, but at least it's much more contained.