Twitterrevealed a privacy error that affected protected tweets of some users for 4 years. The content that was previously set to “private” by the user because of the vulnerability was accidentally made public. Twitter said the vulnerability is limited to Android.
Twitter said that users modifying certain settings would make confidential content public. For example, if a user changes their account email, the setting of “Protect Tweets” is disabled by default.
Those users, who use Twitter from their iOS app, or from the web version, have not been affected. If any of the user have made these account changes between November 3, 2014 and January 14, 2019 (date of the bug fix), they may be affected by the problem.
As mentioned in a publication, this error occurred in specific situations:
“We notice a problem on Twitter for Android that disabled the “Protect your tweets” setting if certain changes were made to the account. This problem may have affected you if you had protected the activated Tweets in your settings, used Twitter for Android, and made certain changes to your account settings, such as changing the email address associated with your account between November 3, 2014 and January 14, 2019.”
They also added that, This situation has been solved on January 14, after going unnoticed for 4 years.
Twitter said the company needed more examples to continue fixing the bug, but declined to provide more details. The team mentions that they have already notified the affected users that they have detected, but they still cannot confirm how many users have been harmed by this error.
In the past many social media sites have faced such kind of situations, Facebook is on the top of the list that have been crashed with similar issues. In December 2018, Facebook revealed that a Photo API bug gave app developers so much access to the photos of 5.6 million or more users.
Instagram on the other hand accidentally rolled out a design change to a large number of users and quickly ended the test after complaints from users. It also suffered from serious security leak because of the bug.
Therefore, twitter users from Android, who use protected account, should examine its configuration to confirm that the corresponding option is enabled.