Twitter has issued a notice to users of its Android app to inform them of a security vulnerability that potentially exposed private Twitter data on their devices, including direct messages.
The company said that there is currently no evidence that this vulnerability was exploited by attackers, but because it can’t be completely sure it has taken steps to keep those users who may have been exposed safe.
It explained that the vulnerability was related to an underlying bug in versions 8 and 9 of the Android operating system.
“Our understanding is 96% of people using Twitter for Android already have an Android security patch installed that protects them from this vulnerability,” Twitter stated in its disclosure.
“For the other 4%, this vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this.”
To keep this group of users safe, Twitter said it took the following steps:
- Updated Twitter for Android to make sure external apps can’t access Twitter in-app data by adding extra safety precautions beyond standard Android protections.
- Requiring anyone who may be impacted to update Twitter for Android.
- Sending in-app notices to everyone who could have been vulnerable to let them know if they need to do anything.
- Identifying changes to its processes to better guard against issues like this.
“To keep your Twitter data safe, please update to the latest version of Twitter for Android on all Android devices that you use to access Twitter. This issue did not impact Twitter for iOS or Twitter.com,” Twitter said.
Twitter’s disclosure of the vulnerability in its Android app comes as a 17 year-old hacker who had just finished high school stands accused of breaching the company’s systems and allegedly hijacked 130 Twitter accounts as part of a cryptocurrency scam.
Of the 130 accounts that were targeted, Twitter revealed that 45 had tweets sent from them, 36 accounts had their direct message inboxes accessed, and Twitter data was downloaded from 7 of them.
Based on Twitter’s report of how the 15 July attack happened, the hacker didn’t need sophisticated tools to take over the Twitter accounts of well-known business people, celebrities, and a former United States president.
Law enforcement officials said that the attacker convinced an information technology employee at Twitter that he was a colleague who needed login credentials to access the company’s customer support platform.