Twitter says Android security bug gave access to direct messages

Twitter says a security bug may have exposed the private direct messages of its Android app users, but said that there was no evidence that the vulnerability was ever exploited.

The bug could have allowed a malicious Android app running on the same device to siphon off a user’s direct messages stored in the Twitter app by bypassing Android’s built-in data permissions. But, Twitter said that the bug, patched in October 2018, only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed.

A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher “a few weeks ago” through HackerOne, which Twitter uses for its bug bounty program.

“Since then, we have been working to keep accounts secure,” said the spokesperson. “Now that the issue has been fixed, we’re letting people know.” Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed.

Twitter said the vast majority of users had updated their Twitter for Android app and were no longer vulnerable. But the company said about 4% of users are still running an old and vulnerable version of its app, and users will be notified to update the app as soon as possible.

Many users began noticing in-app pop-ups notifying them of the issue.

News of the security issue comes just weeks after the company was hit by a hacker, who gained access to an internal “admin” tool, which along with two other accomplices hijacked high-profile Twitter accounts to spread a cryptocurrency scam that promised to “double your money.” The hack and subsequent scam netted over $100,000 in scammed funds.

The Justice Department charged three people — including one minor — allegedly responsible for the incident.

Decrypted: How a teenager hacked Twitter, Garmin’s ransomware aftermath