Twitter said it is investigating the authenticity of a batch of information connected to 5.4 million accounts that is being sold on a hacking forum.

Twitter则表示，它已经开始进行调查与骇客高峰论坛上转卖的540亿个帐户有关重要信息的准确性。

First reported by RestorePrivacy, the hacker – going by the name “devil” – is offering email addresses and phone numbers connected to the accounts. The hacker claimed in the post on Breach Forums that the accounts range from “celebrities, companies, randoms, OGs, etc.”

起初由 RestorePrivacy 报导，骇客 - 名叫“撒旦” - 已经开始提供更多与帐号密切有关的电子邮件地址和号码。骇客在 Breach Forums 上的回帖中宣称，那些帐号的覆盖范围主要包括“名流、子公司、任一的，党务等”。

Researchers immediately tied the post to a vulnerability in Twitter’s platform that was discovered in January by a security researcher who reported the issue through the HackerOne site.

科学研究有关人员立刻将该回帖与 Twitter 网络平台上的两个安全可靠漏洞联络出来，该安全可靠漏洞由一位安全可靠科学研究有关人员在 1 月末透过 HackerOne 中文网站调查报告了该难题。

The researcher explained that the vulnerability allowed an attacker to “find a twitter account by it’s phone number/email even if the user has prohibited this in the privacy options.”

科学研究有关人员解释说，该安全可靠漏洞允许攻击者“透过其号码/电子邮件找到两个 Twitter 帐号，即使用户已在隐私选项中禁止这样做。”

“The vulnerability allows any party without any authentication to obtain a twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” the researcher, who goes by “zhirinovskiy,” explained.

“该安全可靠漏洞允许未经任何身份验证的任何一方透过提交号码/电子邮件来获取任何用户的 Twitter ID（这几乎等于获取帐号的用户名），即使用户已在隐私设置中禁止此操作。该安全可靠漏洞的存在是由于 Twitter 的 Android 客户端中使用的授权过程，特别是在检查 Twitter 帐号重复的过程中。

“This is a serious threat, as people can not only find users who have disabled discoverability by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities. Short: this can lead to a loss of privacy for many users.”

“这是两个严重的威胁，因为人们不仅可以透过电子邮件/号码找到禁用可发现性的用户，而且任何具有脚本/编码基本知识的攻击者都可以枚举出之前无法枚举的大量 Twitter 用户群（创建两个带有电话/电子邮件到用户名连接的数据库）。此举可以转卖给恶意方用于广告目的，或用于针对不同恶意活动的名流。简而言之：这可能会导致许多用户失去隐私。”

Twitter acknowledged the issue on January 6, paid a $5,040 bounty and resolved the vulnerability by January 13. The researcher confirmed that the vulnerability was fixed that same day.

Twitter 在 1 月 6 日承认了这个难题，并支付了 5,040 美元的赏金并在 1 月 13 日之前解决了该安全可靠漏洞。科学研究有关人员确认该安全可靠漏洞已在同一天得到修复。

RestorePrivacy verified with the hacker “devil” that the information in the database is legitimate and was told that they are selling it for “nothing lower than 30k.”

RestorePrivacy 与骇客“撒旦”核实数据库中的重要信息是合法的，并被告知他们以“不低于 30k”的价格转卖。

On Friday, a Twitter spokesperson told The Record that the company is “reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”

周五，Twitter 发言人告诉 The Record，该子公司已经开始“审查最新数据，以验证其准确性并确保有关帐户的安全可靠性。”

“We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability. As always, we’re committed to protecting the privacy and security of the people who use Twitter,” the Twitter spokesperson said.

“几个月前，我们透过安全可靠漏洞赏金计划收到了有关此事件的调查报告，立刻彻底进行调查并修复了安全可靠漏洞。与往常一样，我们致力于保护 Twitter 用户的隐私和安全可靠，”Twitter 发言人则表示。

“We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this. We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”

“我们感谢参与我们的安全可靠漏洞赏金计划的安全可靠社区，以帮助我们识别诸如此类的潜在安全可靠漏洞。我们已经开始审查最新数据，以验证索赔的准确性并确保有关帐户的安全可靠。”

Twitter did not respond to requests for comment about what would be done for the accounts in question once they confirm the database has legitimate information.

Twitter没有回应一旦确认数据库具有合法重要信息后将如何处理有关帐号的评论请求。

慎终如始，则无败事。

——《道德经.第六十四章》

本文翻译自：

https://therecord.media/twitter-investigating-authenticity-of-5-4-million-accounts-for-sale-on-hacking-forum/

如若转载，请注明原文地址

翻译水平有限 :(

有歧义的地方，请以原文为准 ：）