Twitter warns about Android app security issue that could have allowed account takeover
Twitter today began emailing Android users about a security issue that “could have compromised” accounts. Fixed several weeks ago, there’s no “evidence that this was exploited,” but the company is encouraging all to update.
A blog post titled “Twitter for Android Security Issue” and dated this month describes how the vulnerability “could allow a bad actor to see nonpublic account information or to control your account.” The latter possibly includes sending Tweets or Direct Messages, while information that could have been accessed includes DMs, protected Tweets, and location.
At issue was the “insertion of malicious code into restricted storage areas of the Twitter app,” through what Twitter called a “complicated process.” Twitter has informed us that today’s problem is not related to the SDK issue that emerged in late November.
Twitter doesn’t have “evidence that malicious code was inserted into the app or that this vulnerability was exploited,” but the warning and extra caution comes as it “can’t be completely sure.”
Users are advised to make sure they’ve updated to the latest version, though the Twitter Support account clarified how the “issue was fixed in Twitter for Android version 7.93.4 (released Nov. 4, 2019 for KitKat) as well as version 8.18 (released Oct. 21, 2019 for Lollipop and newer).” Most are presumably already patched against the problem.
We have taken steps to fix this issue and are directly notifying people who could have been exposed to this vulnerability either through the Twitter app or by email with specific instructions to keep them safe. These instructions vary based on what versions of Android and Twitter for Android people are using. We recommend that people follow these instructions as soon as possible.