Twitter says Android security bug gave access to direct messages – ProWellTech
chirping He says a security bug may have exposed his Android’s direct private messages app users, but claimed that there is no evidence that the vulnerability has ever been exploited.
The bug could have allowed a malicious Android app running on the same device to steal a user’s direct messages stored in the Twitter app by ignoring Android’s integrated data permissions. But Twitter said the bug only worked on Android 8 (Oreo) and Android 9 (Pie) and has since been fixed.
A Twitter spokesman told ProWellTech that the bug was reported by a security researcher “a few weeks ago” through HackerOne, that Twitter uses for its bug bounty program.
“Since then, we’ve been working to protect the accounts,” said the spokesman. “Now that the problem has been resolved, we are letting people know.” Twitter said it had waited for its users to know, in order to prevent someone from knowing the problem and exploiting it before it was resolved.
Twitter said that the vast majority of users have updated their Twitter app for Android and are no longer vulnerable. But the company said around 4% of users are still running an older, vulnerable version of its app and users will be notified to update the app as soon as possible.
Many users started noticing in-app pop-ups by warning them of the problem.
The news of the security issue comes a few weeks after the company was hit by a hacker, who obtained access to an internal “administration” tool, which together with two other accomplices hijacked high-profile Twitter accounts to spread a cryptocurrency scam that promised to “double your money.” The hack and subsequent scam raised over $ 100,000 in defrauded funds.
The Justice Department accused three people – including a minor – allegedly responsible for the accident.