Twitter says an Android OS security vulnerability may have exposed private data, including direct messages, of some of its Android users. The bug could have allowed an attacker to bypass Android system permissions and access private data of Twitter users by running a malicious app installed on the same device.
Apparently, the vulnerability only affected devices running Android 8 Oreo or Android 9 Pie. Additionally, Google has patched this bug in October 2018 Android security update. Twitter says about 96 percent of its Android users already have an Android security patch installed that protects them from this vulnerability.
However, the remaining 4 percent of users are still vulnerable to it. The company advises such users to update the Twitter app to make sure no external apps can access the in-app data. They have patched the vulnerability from their end and promise extra safety precautions beyond standard Android OS protections.
Twitter says they don't have any evidence of an attacker exploiting the vulnerability. However, it is still notifying its Android users of this security issue through a pop-up in the app. The in-app notice details if they need to do anything to keep their accounts safe.
A security researcher reported this bug to Twitter a few weeks ago through HackerOne. It is the platform Twitter uses for its bug bounty program. The company was since working on fixing it in order to prevent someone from taking advantage of it.
"Since then, we have been working to keep accounts secure," a Twitter spokesperson told TechCrunch. "Now that the issue has been fixed, we’re letting people know". Note that this issue did not impact Twitter for iOS or the web version.
Twitter reports an Android security vulnerability after last month's massive hack
News of this Android OS security vulnerability comes just weeks after the massive Twitter hack last month. A group of hackers gained access to an internal tool and hijacked Twitter accounts of several high-profile names.
They gained access to verified accounts of personalities including Elon Musk, Bill Gates, Mike Bloomberg, Joe Biden, Barack Obama, Kim Kardashian West, Kanye West, Jeff Bezos, and many others. In total, the hackers were able to access 130 Twitter accounts. They accessed direct messages of 36 of them and stole data from seven accounts.
The hackers then used those accounts to spread a Bitcoin scam. They promised double the amount of Bitcoin sent to a given address. Three people, including a minor, have been arrested and charged for this attack.