- Twitter has disclosed an Android security flaw that could expose direct messages.
- Users running Android Oreo or Pie were vulnerable.
- There’s no evidence attackers have used it so far.
Twitter has revealed a serious security flaw in its app just days after intruders compromised high-profile accounts.
An “underlying Android OS security issue,” disclosed in October 2018, allowed attackers to read Twitter direct messages on devices running Android 8 (Oreo) or Android 9 (Pie). Perpetrators would have used a “malicious app” on the device to bypass Android’s permissions and get the sensitive data.
About 96% of Twitter for Android users already have the relevant security patch installed to protect this, the social network said. To address the remaining users, Twitter has updated its app to add extra safeguards against external apps. It’s also notifying affected users and requiring them to update.
Twitter didn’t find evidence that any hackers had used the flaw, but it was looking to update its “processes” to reduce the chances of a similar incident in the future. This didn’t affect iOS or web users.
Read more: Are Android updates getting faster?
This isn’t the first time Twitter has identified security flaws that could expose sensitive info. Researchers found in December 2019 that they could match phone numbers with users, and a hole discovered a year earlier let attackers use text spoofing to control UK accounts. The app-specific nature of this latest flaw is notable, though, and relatively uncommon.
The threat wasn’t necessarily high. To load the hostile app on a device, hackers needed to either trick users into installing the app voluntarily or else use another vulnerability to force the app to load. In both cases, the device would already be compromised — this would have just made it easier to take Twitter data.
However, it’s still significant that the flaw had been exploitable for a long time. The issue also underscores concerns about the timeliness of Android updates. It’s significant that 4% of the app’s entire Android user base was still vulnerable nearly two years after the patch was first available. That’s a lot of potential targets, and the percentages may well have been higher even a year earlier. Without fast and consistent security updates, there’s a risk issues like this can persist for a long while.