Twitter admitted that the private files sent via Twitter DMs were cached inside the users’ Firefox browsers for up to seven days, even if users have logged off.
The problem is related to the way the Mozilla Firefox web browser cached data, this caused the storage of private media shared in DMs and data downloads in the browser’s cache.
An attacker could have accessed private data stored in the Firefox cache using specific tools.
“We recently learned that the way Mozilla Firefox stores cached data may have resulted in non-public information being inadvertently stored in the browser’s cache,” reads the announcement published by the company.
“This means that if you accessed Twitter from a shared or public computer via Mozilla Firefox and took actions like downloading your Twitter data archive or sending or receiving media via Direct Message, this information may have been stored in the browser’s cache even after you logged out of Twitter.”
The privacy issue doesn’t affect affect other browsers such as Google Chrome and Safari.
Mozilla implemented a retention period of 7 days in the Firefox browser, this means that the content of the cache is automatically being deleted after a week.
Twitter announced that it has addressed the issue, Firefox will no longer store users’ personal information in the browser cache.
“We have implemented a change on our end so that going forward the Firefox browser cache will no longer store your personal information.” continues Twitter.
“If you use, or have used, a public or shared computer to access Twitter, we encourage you to clear the browser cache before logging out, and to be cautious about the personal information you download on a computer that other people use.”
Firefox users could clear the cache of their browser using the following entry in the menu option.
Options > Privacy & Security > Cookies and Site Data > Clear Data.
Uncheck the Cookies and Site Data option and only check Cached Web Content and then click the Clear button.
“If you have any questions or concerns regarding this incident, you can contact Twitter’s Data Protection Officer by completing the online form located here.” concludes Twitter.