Twitter flaw could expose Android users' direct messages: What to do

Twitter on a Samsung Android smartphone
(Image credit: ThomasDeco / Shutterstock.com)

Twitter has warned many Android users of a critical security vulnerability in the Twitter app that could have enabled hackers to access direct messages, which are supposed to be private.

The social-media company confirmed that the flaw made it possible for threat actors to view private user data “through a malicious app installed on your device” and by “working around Android system permissions that protect against this”.

Critical flaw

Anyone who owns an Android phone that runs or has run Android 8 Oreo or Android  9 Pie got a pop-up notification yesterday (Aug. 5) about the flaw when the opened the Twitter app. For most people, the threat has passed.

Twitter said in a blog post that 96% of its Android users had already received Android security patches or version upgrades to fix this issue, but said the other 4% were still vulnerable. 

“We recently discovered and fixed a vulnerability in Twitter for Android related to an underlying Android OS security issue affecting OS versions 8 and 9,” said the blog. 

The security issue never affected Android 7 Nougat or earlier, nor Android 10. Android versions 8 Oreo and 9 Pie were patched with security updates issued in October 2018, but it's likely that there are still millions of phones out there that haven't installed, or may never receive, that patch.

According to Twitter, it doesn't seem that anyone has leveraged the flaw to compromise user data. 

However, the firm added that it “can’t be completely sure”, and because of this, it’s outlined several steps to “keep the small group of potentially vulnerable people safe.”

The steps outlined by Twitter include:

  1. Requiring anyone that may be impacted to update Twitter for Android
  2. Sending in-app notices to everyone who could have been vulnerable to let them know if they need to do anything
  3. Identifying changes to our processes to better guard against issues like this

Mitigations 

It added that in order to “keep your data safe”, users should “update to the latest version of Twitter for Android on all Android devices that you use to access Twitter.”

Twitter said the vulnerability only affected certain Android users, and not anyone using Twitter on iOS or through a web browser. 

With social media accounts a core target of hackers, the best way to stay safe is to ensure your apps are always up-to-date, generate strong and unique passwords, set up two-factor authentication, and use one of the best antivirus solutions. 

  • More: Stay anonymous for less with a cheap VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!