Twitter Rushes to Fix Flaw in Android VersionVulnerability Could Enable Hackers to Access User Data, Including Direct Messages
Twitter rushed out a fix Wednesday for a flaw in the Android version of its social media platform that could have allowed hackers to access user data, including within the Direct Message feature.
The bug is actually an underlying vulnerability in the Android operating system, but it can affect Twitter users and their data, according to a Twitter security bulletin. The flaw is present in versions 8 and 9 of the Android OS, but not in version 10.
We recently fixed a vulnerability caused by an underlying Android Security issue with Android OS Versions 8 and 9. We don’t have evidence that it was exploited, but we're being cautious. Some of you on Android will be asked to update your Twitter app.https://t.co/50fTcnHVEO— Twitter Support (@TwitterSupport) August 5, 2020
The Twitter security bulletin did not describe the vulnerability in detail. The social media firm stresses there's no evidence that this flaw has been exploited in the wild.
The company estimates about 96% of its Android users are unaffected by the flaw. "For the other 4%, this vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this," according to the Twitter security bulletin.
Twitter is urging users to upgrade to version 10 of Android to eliminate the risk of hackers exploiting the flaw.
Ray Kelly, principal security engineer at security firm WhiteHat Security, notes that application developers such as Twitter have struggled to ensure their platforms run securely on all mobile operating systems.
"Mobile apps are more complex in that vulnerabilities can exist on the back-end server, application code and, in this case, the underlying operating system itself," Kelly tells Information Security Media Group. "Often, companies are playing catch-up around mobile app security due to the ever-changing environment of SDKs [software development kits] and OS versions."
The latest security concern with Twitter comes as the company deals with the fallout from a July 15 hacking incident. Three suspects have been charged in connection with a scheme that used phone-based phishing to gather information from employees and then gain access to internal systems (see: Twitter Hack: Suspects Left Easy Trail for Investigators).
The hackers allegedly gained control of several high-profile Twitter accounts and sent fake messages to swindle about $120,000 in bitcoin from victims. It's also believed that the suspects gained access to some Twitter account user data, including information stored in the Direct Message feature (see: Dutch Lawmaker's Twitter Account Among 36 With Data Exposed).
The Wall Street Journal reported that one of the suspects charged in the case, 17-year-old Graham Ivan Clark, used simple phone phishing techniques to trick a Twitter employee into giving him initial access.
Following the initial phone-based phishing, the Journal reports, Clark allegedly used SIM swapping techniques - persuading a mobile operator's customer service employee to move a cell phone number to a different SIM card or port it to another carrier - and created phishing pages to further the attack and gain access to wider parts of Twitter's internal systems.
Two others who face charges, Mason Sheppard, 19, of Bognor Regis, UK, and Nima Fazeli, 22, of Orlando, Florida, allegedly helped Clark carry out the hacking incident.
Twitter has not addressed the specifics of the reported techniques used to conduct the account hijacking and cryptocurrency scam. But the company has noted that it is working on "improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams."
Chaos in Court
The case against Clark took another unexpected turn on Wednesday when the teenager appeared for a bail hearing in Tampa, Florida.
For a few seconds, the virtual hearing over Zoom was interrupted by pranksters who hijacked the feed with screams, chatter and even a few seconds of explicit adult content (see: Screams, Porn Interrupt Virtual Hearing for Twitter Suspect).