Twitter discovered a serious security vulnerability in its app for Android users that could have allowed a user’s account to be hijacked and have their private messages viewed by the attacker.
However, the social network says it has fixed the bug, a security flaw, that would have allowed a hacker to take control of a user’s Twitter account and not only view the user’s private messages but also send out tweets, direct messages, view protected tweets and all data location information.
In order to do this, the hacker would have needed to insert a malicious code into the restricted storage areas of the Twitter app which tech experts say is a complicated process.
Twitter says though that it doesn’t have evidence that this has occurred or that this vulnerability to the app has been exploited, but it also admitted that even without any evidence it doesn’t mean a user’s Twitter app hasn’t been exploited.
According to a Twitter blog post, the company has taken steps to fix the bug and is notifying users who could have been exposed to it either by emailing them or through their Twitter app itself, giving them specific instructions as what to do to keep them safe. The blog states that the instructions could differ depending on the version of Android and the Twitter for Android app owners are using.
Twitter also reported in its blog that none of its Twitter for iOS apps for iPhone users were affected.
One Twitter user received a notification that asked them to update their app with the latest version of Twitter for Android as soon as possible in order to ensure that their Twitter account would be secure.
Twitter’s Support account made sure it was clear that the bug issue was fixed in its version 7.93.4 which was released on Nov. 4, 2019 for KitKat and as well as its version 8.18 which was released on Oct. 21, 2019 for Lollipop and newer Android mobile OS’s.
Versions of Android that are older than KitKat no longer support Twitter it was also clarified on Twitter’s Support account.
The company blog does not clarify or explain how it came to know about the security flaw. There are no notations as to whether an external security researcher reported the possible security flaw or if it was discovered by Twitter employees.