Twitter admits Android app vulnerability that exposed user’s private data

It seems that Twitter can’t catch a break. The social media platform recently disclosed it discovered a vulnerability in its Android app that can be exploited to allow malicious parties to access a user’s private data including their direct messages (DM).

Twitter explained in a post that it recently discovered the existence of the vulnerability in the Android app that could have allowed an attacker, through a malicious app installed on the device, to access private Twitter data by working around Android’s system permissions. The issue is apparently not new as it is related to a problem that Google had already fixed in its October 2018 security patch.

Here are the steps recommended by Twitter:

1. Updated Twitter for Android to make sure external apps can’t access Twitter in-app data by adding extra safety precautions beyond standard OS protections

2. Requiring anyone that may be impacted to update Twitter for Android

3. Sending in-app notices to everyone who could have been vulnerable to let them know if they need to do anything

4. Identifying changes to our processes to better guard against issues like this

The good news is that 96% of Twitter users on Android are not vulnerable to this issue. But that also means the remaining 4% of users on Android 8 and Android 9 were exposed to this exploit. Twitter, however, said there was no evidence the vulnerability was exploited.

This isn’t the first vulnerability Twitter has detected in its Android app. The company has previously disclosed a similar problem after a fix was made available. 

In mid-July 2020, Twitter suffered an unprecedented hack that compromised the accounts of high-profile individuals such as Bill Gates, Elon Musk and Joe Biden.

SEE ALSO:  Twitter announced the removal of Fleets in a hilarious 'apology' Tweet

The mastermind behind the hack was revealed to be Graham Ivan Clark, a 17-year-old teenager from Florida, who was arrested on 31 July. Based on The New York Times’ story, Clark tricked an unwitting employee via a phone phishing attack and gained access to Twitter’s account management tools.


Related reading