Privacy bug exposed 93,788 protected Twitter accounts to snoopers

Twitter privacy Twitter has fixed an embarrassing bug that impacted 93,788 users of the service, who mistakenly believed that they had control over who could see their micro-blogging updates.

Although the vast majority of Twitter users post publicly, and allow the world and their dog to read their tweets, a small proportion of more privacy-concerned users have chosen to only allow trusted contacts to view their messages, and block access for everyone else.

Protected Twitter account

If you had a protected Twitter account, your tweets should only have been viewable and searchable by yourself and approved followers.

Sign up to our free newsletter.
Security news, advice, and tips.

However, this weekend Twitter announced that it had fixed a vulnerability that “under rare circumstances”, had allowed followers who had not been approved by Twitter users to receive so-called protected tweets via SMS and push notifications.

According to a brief blog post by Twitter, the privacy hole has been present since November 2013, and has exposed the updates of 93,788 accounts that Twitter users believed to be protected.

Twitter privacy bug

Twitter says it has removed all of the unapproved follows, and apologised to affected users:

While the scope of this bug was small in terms of affected users, that does not change the fact that this should not have happened. We’ve emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies.

Twitter is right. This should never have happened.

Users have an expectation that sites like Twitter, which offer the option of private communication, will do what they claim rather than be found to have loopholes that allow unauthorised parties to snoop upon confidential discussions.

The vast majority of Twitter users may not be using the site in this way, but it’s clear that some are – and their confidence will have been shaken by this latest revelation.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.