Twitter has fixed a vulnerability in its Android app, which could have enabled attackers to access private Twitter data, like direct messages (DMs) on Android devices.
The flaw is related to an underlying Android operating system (OS) security issue (CVE-2018-9492), which affects operating system versions 8 and 9, said Twitter. This high-severity flaw, which was first disclosed by Google in 2018, stems from the checkGrantUriPermissionLocked component of the ActivityManagerService.java feature in Android. The vulnerability could enable the attacker to bypass permissions – leading to local escalation of privilege.
From there, “this vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this,” said Twitter in a Wednesday post.
Twitter said that 96 percent of Android users with the Twitter app already have an Android security patch installed, which protects them from this vulnerability – but the remaining 4 percent of Twitter for Android users were still affected.
We recently fixed a vulnerability caused by an underlying Android Security issue with Android OS Versions 8 and 9. We don’t have evidence that it was exploited, but we're being cautious. Some of you on Android will be asked to update your Twitter app.https://t.co/50fTcnHVEO
— Twitter Support (@TwitterSupport) August 5, 2020
Twitter said it does not have evidence that the flaw was exploited by attackers.
The news comes days after Twitter acknowledged it may be facing a Federal Trade Commission (FTC) fine of up to $250 million. The penalty was due to Twitter admitting in October that user phone numbers and email addresses gathered for security purposes, as part of its two-factor authentication (2FA) policy, may have been used for targeted advertising.
It also comes weeks after a recent high-profile Twitter hack that compromised 130 accounts of high-profile users such as Bill Gates, Elon Musk, Apple and Uber – to promote a bogus advance-fee cryptocurrency deal. As part of this attack, the bad actors were able to access direct messages (DMs) for 36 of the 130 high-profile users whose accounts were hacked.
Twitter for its part said moving forward, it has updated Twitter for Android to make sure that external apps can’t access Twitter in-app data by adding extra safety precautions beyond standard OS protections; requiring anyone impacted to update Twitter for Android and sending in-app notices to everyone who could have been vulnerable.
“Your privacy and trust is important to us and we will continue working to keep your data secure on Twitter,” said Twitter.
Threatpost has reached out to Twitter for further information.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2 p.m. ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.
