The bug could have allowed a malicious Android app running on the same device to siphon off a user’s direct messages stored in the Twitter app by bypassing Android’s in-built data permissions.
Twitter said, however, that the bug only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed.
A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher through Twitter’s bug bounty platform, HackerOne, a “few weeks ago” and was investigated and fixed.
“Since then, we have been working to keep accounts secure,” said the spokesperson. “Now that the issue has been fixed, we’re letting people know.” Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed — a common approach to reporting security flaws.
Twitter said about 4% of users are still running a vulnerable version of Twitter for Android, and will be notified to update the app as soon as possible. Many users began noticing in-app pop-ups notifying them of the issue.
News of the security issue comes just weeks after the company was hit by a hacker, who gained access to an internal “admin” tool, which along with two other accomplices hijacked high-profile Twitter accounts to spread a cryptocurrency scam that promised to “double your money.” The hack and subsequent scam netted over $100,000 in scammed funds.
The Justice Department charged three people — including one minor — allegedly responsible for the incident.