Twitter found out about the bug after a security researcher reached out to them a few weeks ago via the company’s bug bounty programme.
Twitter security: Twitter has said that there might have been a security bug that could have exposed the direct messages of the users of the Twitter Android app. The company, however, added that no evidence pointed to the possibility of the vulnerability having been exploited. The security bug could have allowed malicious apps on the Android platform to bypass the data permissions built in the app, and access the private messages, the company said, but it added that the bug was patched in October 2018 and it only worked on Android Oreo (version 8) and Android Pie (version 9). It has been fixed since then, the company added.
A TechCrunch report quoted a Twitter Spokesperson as saying that Twitter found out about the bug after a security researcher reached out to them a few weeks ago via the company’s bug bounty programme run via HackerOne.
The spokesperson was further quoted as saying that ever since Twitter found out about it, they had been working on fixing the issue so that the accounts remain secure. Now that the problem has been fixed, the company said it is letting people know. They waited to inform people about this bug since they felt that if the information about the security bug surfaced before it was fixed, it could be misused by someone else.
The company said that the majority of the users had already uploaded the app to the newer versions and therefore, were no longer vulnerable. However, it added that about 4% of its users were still using the old vulnerable version and said that they would be notified to update the app at the earliest.
Several users noticed getting in-app pop ups that were notifying them of the issue.
The news is significant despite the bug being fixed, because it comes on the heels of a major Twitter security breach in which hackers gained access to an internal “admin” tool and took control of the accounts of several known celebrities, like former US President Barack Obama, Microsoft Founder Bill Gates and Tech entrepreneur Elon Musk, to run a cryptocurrency scam.