Twitter is the popular social media networks, used by many popular figures, politicians, celebrities, and many others in between.
The company said that it had fixed a security issue that could have allowed hackers to access private Twitter data, including messages. The vulnerability is said to have affected Twitter users running devices with Android 8 (Oreo) and 9 (Pie).
"This vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this," the company said in a blog post.
The bug happened to exploit Android’s in-built data permissions to bypass restrictions to then read Twitter's data.
While Twitter said that it has found no evidence that the Android vulnerability has been exploited by attackers, but it can’t be completely sure.
This is why Twitter said that it has begun informing users who could have been vulnerable.
The company has also updated its Android app to remove the vulnerability, by also making its Android app to prevent other apps to access its in-app data. Twitter said that it is also identifying changes to its processes to prevent a similar issue to happen.
We recently fixed a vulnerability caused by an underlying Android Security issue with Android OS Versions 8 and 9. We don’t have evidence that it was exploited, but we're being cautious. Some of you on Android will be asked to update your Twitter app.https://t.co/50fTcnHVEO
— Twitter Support (@TwitterSupport) August 5, 2020
The flaw was related to an underlying Android's security issue (CVE-2018-9492). This high-severity flaw happened at Android's
checkGrantUriPermissionLocked component of the
ActivityManagerService.java feature in Android.
The vulnerability could enable the attacker to bypass permissions, which can lead to local escalation of privilege.
It was first disclosed by Google, and was publicized in the Android Security Bulletin in October 2018. It was then reported to Twitter by a security researcher through Twitter’s bug bounty platform.
What this means, the bug had been around for at least 22 months before Twitter managed to fix it.
Twitter said it waited before letting this information go public, in order to prevent anyone from learning about the issue, and take advantage of it before Twitter can fix it. This is a common approach to reporting security flaws.
“Since then, we have been working to keep accounts secure,” said a Twitter spokesperson. “Now that the issue has been fixed, we’re letting people know.”
Twitter said it didn't find similar vulnerabilities in its iOS app or on its website.
“Your privacy and trust is important to us and we will continue working to keep your data secure on Twitter,” said Twitter.
This security issue comes at a bad time for Twitter, which has been struggling with the recent Bitcoin scam hack that affected 130 high-profile accounts of celebrities, brands and politicians.
The hijacked high-profile Twitter accounts were used to spread a cryptocurrency scam that promised to “double your money.” The hack and the subsequent scam netted the hackers more than $100,000 in scammed funds.
The hack was supposedly done through a phone spear phishing attack that targeted Twitter employees.
The three hackers who gained access to Twitter's internal “admin” tool and systems have since been arrested. The mastermind of them being a 17-year-old from Florida who is alleged to have connections to high-level black market buyers who wanted to acquire valuable usernames.
Earlier, Twitter also disclosed that it is expected to pay as much as $250 million to the Federal Trade Commission (FTC). The penalty was due to Twitter admitting in October that user phone numbers and email addresses gathered for security purposes as part of its two-factor authentication (2FA) policy, may have been used for targeted advertising.
With the recent incidents, it can take Twitter a lot more than tweaking some technical parts of its platform to heal its brand name and regain trust from users and investors.
But still, its attempt to let people know that it fixed an issue, despite being almost two years late, is a good marketing effort than none at all.