A bug in the Twitter app for Android may have had exposed tweets, the social media platform revealed on Thursday.
The bug in the Android Twitter app affects the “Protect my Tweets” option from the account’s “Privacy and safety” settings that allows viewing user’s posts only to approved followers.
People who used the Twitter app for Android may have had the protected tweets setting disabled after they made some changes to account settings, for example after a change to the email address associated with the profile.
“We’ve become aware of an issue in Twitter for Android that disabled the “Protect your Tweets” setting if certain account changes were made.” reads the security advisory published by the company.
“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.”
The vulnerability was introduced on November 3, 2014, and was fixed on January 14, 2019, users using the iOS app or the web version were not impacted.
Twitter has notified impacted users and has turned “Protect your Tweets” back on for them if it was disabled.
“We are providing this broader notice through the Twitter Help Center since we can’t confirm every account that may have been impacted. We encourage you to review your privacy settings to ensure that your ‘Protect your Tweets’ setting reflects your preferences,” continues the advisory.
Recently Twitter addressed a similar bug, in December the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.
In September 2018, the company announced that an issue in Twitter Account Activity API had exposed some users’ direct messages (DMs) and protected tweets to wrong developers.
Twitter is considered one of the most powerful social media platforms, it was used in multiple cases by nation-state actors as a vector for disinformation and propaganda.
In December Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.