Twitter has warned of a serious security vulnerability in its Android app that could have allowed an attacker to hijack an account and view private messages.
The social network said it recently fixed the bug which allowed an attacker to commandeer an account to send tweets and direct messages as well as view direct messages, protected tweets and location information.
To access private information the attacker would have to go “through a complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app”.
Twitter said it lacked evidence that malicious code was ever inserted into the app or that the vulnerability was exploited, but it admitted that doesn’t mean it hadn’t been exploited.
“We don’t have evidence that malicious code was inserted into the app or that this vulnerability was exploited, but we can’t be completely sure so we are taking extra caution,” Twitter said in a blog post.
The bug didn’t affect its iOS app for iPhone users. It’s notifying Android users through email notifications and app notifications.
“We have taken steps to fix this issue and are directly notifying people who could have been exposed to this vulnerability either through the Twitter app or by email with specific instructions to keep them safe. These instructions vary based on what versions of Android and Twitter for Android people are using,” Twitter said.
A note sent to one Twitter user read: “Please update to the latest version of Twitter for Android as soon as possible to make sure your account is secure.”
The Twitter Support account clarified on Twitter that the issue was fixed in “version 7.93.4 (released Nov. 4, 2019 for KitKat) as well as version 8.18 (released Oct. 21, 2019 for Lollipop and newer).”
It also noted that Twitter is no longer supported on versions of Android that are older than KitKat.
The company didn’t explain how it learned of the security flaw, for example, whether it was reported by an external security researcher or whether it was discovered by employees.
Twitter on Friday also revealed it had removed 5,929 accounts linked to a disinformation campaign originating in Saudi Arabia.
“These accounts represent the core portion of a larger network of more than 88,000 accounts engaged in spammy behaviour across a wide range of topics. We have permanently suspended all of these accounts from the service,” Twitter said.