Endpoint Security , Fraud Management & Cybercrime , Governance & Risk Management

Twitter Rushes to Fix Flaw in Android Version

Vulnerability Could Enable Hackers to Access User Data, Including Direct Messages
Twitter Rushes to Fix Flaw in Android Version
Twitter issued an update about an Android vulnerability.

Twitter rushed out a fix Wednesday for a flaw in the Android version of its social media platform that could have allowed hackers to access user data, including within the Direct Message feature.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The bug is actually an underlying vulnerability in the Android operating system, but it can affect Twitter users and their data, according to a Twitter security bulletin. The flaw is present in versions 8 and 9 of the Android OS, but not in version 10.

The Twitter security bulletin did not describe the vulnerability in detail. The social media firm stresses there's no evidence that this flaw has been exploited in the wild.

The company estimates about 96% of its Android users are unaffected by the flaw. "For the other 4%, this vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this," according to the Twitter security bulletin.

Twitter is urging users to upgrade to version 10 of Android to eliminate the risk of hackers exploiting the flaw.

Ray Kelly, principal security engineer at security firm WhiteHat Security, notes that application developers such as Twitter have struggled to ensure their platforms run securely on all mobile operating systems.

"Mobile apps are more complex in that vulnerabilities can exist on the back-end server, application code and, in this case, the underlying operating system itself," Kelly tells Information Security Media Group. "Often, companies are playing catch-up around mobile app security due to the ever-changing environment of SDKs [software development kits] and OS versions."

Security Concerns

The latest security concern with Twitter comes as the company deals with the fallout from a July 15 hacking incident. Three suspects have been charged in connection with a scheme that used phone-based phishing to gather information from employees and then gain access to internal systems (see: Twitter Hack: Suspects Left Easy Trail for Investigators).

The hackers allegedly gained control of several high-profile Twitter accounts and sent fake messages to swindle about $120,000 in bitcoin from victims. It's also believed that the suspects gained access to some Twitter account user data, including information stored in the Direct Message feature (see: Dutch Lawmaker's Twitter Account Among 36 With Data Exposed).

Ongoing Investigation

The Wall Street Journal reported that one of the suspects charged in the case, 17-year-old Graham Ivan Clark, used simple phone phishing techniques to trick a Twitter employee into giving him initial access.

Following the initial phone-based phishing, the Journal reports, Clark allegedly used SIM swapping techniques - persuading a mobile operator's customer service employee to move a cell phone number to a different SIM card or port it to another carrier - and created phishing pages to further the attack and gain access to wider parts of Twitter's internal systems.

Two others who face charges, Mason Sheppard, 19, of Bognor Regis, UK, and Nima Fazeli, 22, of Orlando, Florida, allegedly helped Clark carry out the hacking incident.

Twitter has not addressed the specifics of the reported techniques used to conduct the account hijacking and cryptocurrency scam. But the company has noted that it is working on "improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams."

Chaos in Court

The case against Clark took another unexpected turn on Wednesday when the teenager appeared for a bail hearing in Tampa, Florida.

For a few seconds, the virtual hearing over Zoom was interrupted by pranksters who hijacked the feed with screams, chatter and even a few seconds of explicit adult content (see: Screams, Porn Interrupt Virtual Hearing for Twitter Suspect).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.