Security Bug Exposed Private Tweets for Years

Twitter discovered a bug in the system that made users’ private tweets public for over four years. This vulnerability occurred to the Android Twitter app. User’s using the IOS app or the Web to use Twitter were not affected by the vulnerability. The social media site posted to Twitter’s help center on Thursday saying the issue was ongoing from November 3, 2014 to January 14, 2019.

Saying in the post:

“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019”

According to the site, to have been impacted by the bug users had to do three various tasks. First, the user needed to use specifically the Android Twitter app. Second, the user had to have turned on the “Protect your Tweets” setting. Third, users had to make certain changes to their account setting such as updating their email account. When the changes were made, the “Protect your Tweets” setting would automatically become disabled, making the tweets public.

The number of users impacted is unknown, however, those affected by the bug have been informed. Impacted users have also had the “Protect your Tweets” setting reactivated. For the time being, Twitter has told its users to double check their Twitter settings to ensure their settings are correct.

Twitter in the post said:

“We recognize and appreciate the trust you place in us and are committed to earning that trust every day. We’re very sorry this happened and we’re conducting a full review to help prevent this from happening again.”

Twitter has declined to comment further on the security issue since the post. This security flaw is just the latest security issue to occur at Twitter. Just last month, the social media site issued a patch that revealed IP address of users located in China and Saudi Arabia. In another incident, software developers were able to read user’s private direct messages.

For security advisory solutions contact LIFARS today.