Twitter for Android Carried a Severe Privacy-Compromising Vulnerability

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Twitter announced a fix in its Android app, which addresses a severe flaw that could enable an attacker to access sensitive private user data. That would include direct messages too - which are still not end-to-end encrypted on the social media platform, by the way.

The exploit of the flaw happens through a malicious app installed on the device, which can indirectly bypass Android permissions to access Twitter app data. Twitter says they have no evidence that attackers exploited this vulnerability, but they can’t be entirely sure about it.

Thus, the Twitter app was updated to prevent external apps from accessing its in-app data. What Twitter’s engineers did was to basically add an extra layer of security in addition to the Android OS protections that were proved to be inadequate in this case. Those who are impacted will receive in-app notices to update their Twitter app, so the risk period is shortened.

According to Twitter, the percentage of vulnerable users to this privacy breaching bug is only about 4% of the Android ecosystem. That’s because anyone using Android 10 is secure, and also everyone using Android 8 or 9 and who have applied a security patch after October 2018 should be safe from the flaw.

If your device is stuck running an even earlier version of Google’s OS, it’s beyond time for you to buy a new model. The 4% percentage given by Twitter sounds like a small portion of the userbase. Still, considering that there are about two billion Android devices that have downloaded the app, that would translate to about 80 million smartphones. What Twitter also failed to clarify is for how long this bug remained open, which is more than just detail at this point.

This flaw does not impact the iOS version of the Twitter app, and neither is the web platform. So, this is solely an Android issue, and discussing it in the summer of 2020 is a big failure not only for Twitter but for Android itself.

Android 10 was released back in September 2019, and it still accounts for about 25% of the Android market share. One-third of the Android devices out there still run 9.0 Pie, another 11.5% run on 8.1 Oreo, and roughly 7% of the devices are stuck on 8.0 Oreo. The rest (25%) are sporting even older and unsupported versions of the Android OS, so there’s an obvious problem here that Google has failed to address all these years.

Read More:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: