Twitter exposed some Android users’ protected tweets, and didn’t notice for over four years

Check your privacy settings haven’t been disabled by Twitter.

Graham Cluley
Graham Cluley
@[email protected]

Twitter exposed some Android users' protected tweets, and didn't notice for over four years

Twitter has owned up to a privacy goof that exposed some Android users’ private tweets.

That would be bad enough if the problem existed for an hour, or a day, or a month. But unfortunately for Twitter (and affected users) the problem was present from November 3 2014 until January 14 2019.

That’s over four years.

Sign up to our free newsletter.
Security news, advice, and tips.

The good news is that the problem only affected users of Twitter for Android who had enabled the “Protect your Tweets” setting. The vast majority of Twitter users don’t protect their tweets, and in fact when you create an account on Twitter it is public by default – meaning anyone can view and interact with your tweets.

But a small proportion of Twitter users do prefer to protect their tweets – meaning that the only people who can follow and interact with their tweets are users who they authorised.

So far, so reasonable.

But everything seems to have changed on November 3 2014 when Twitter introduced a bug which only impacted users who had “protected” accounts.

As Twitter explains:

You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.

In short, the Twitter Android app reset the “Protect your Tweets” setting without users’ knowledge or permission, if other account settings were changed. The same bug did not apply to the official Twitter app for iOS or the web versions of Twitter.

To make things worse, Twitter admits that it cannot be sure that it knows what accounts may have been impacted. So potentially-affected users are being “encouraged” to review their privacy settings to check that “Protect your Tweets” is set properly.

For this bug to have lurked for so long tells me two things:

  1. Not many users are making use of the “Protect your tweets” feature, and even less of them are running the Android app and changing their account settings.
  2. Twitter’s quality control needs to improve. They simply cannot have tested the functionality properly.

Of course, it’s also worth bearing in mind that even if you do successfully set your social networking updates to be private, that doesn’t mean they’re private from the social networking site itself.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.