Privacy bug exposed 93,788 protected Twitter accounts to snoopers

Twitter privacyTwitter has fixed an embarrassing bug that impacted 93,788 users of the service, who mistakenly believed that they had control over who could see their micro-blogging updates.

Although the vast majority of Twitter users post publicly, and allow the world and their dog to read their tweets, a small proportion of more privacy-concerned users have chosen to only allow trusted contacts to view their messages, and block access for everyone else.

Protected Twitter account

If you had a protected Twitter account, your tweets should only have been viewable and searchable by yourself and approved followers.

Sign up to our free newsletter.
Security news, advice, and tips.

However, this weekend Twitter announced that it had fixed a vulnerability that “under rare circumstances”, had allowed followers who had not been approved by Twitter users to receive so-called protected tweets via SMS and push notifications.

According to a brief blog post by Twitter, the privacy hole has been present since November 2013, and has exposed the updates of 93,788 accounts that Twitter users believed to be protected.

Twitter privacy bug

Twitter says it has removed all of the unapproved follows, and apologised to affected users:

While the scope of this bug was small in terms of affected users, that does not change the fact that this should not have happened. We’ve emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies.

Twitter is right. This should never have happened.

Users have an expectation that sites like Twitter, which offer the option of private communication, will do what they claim rather than be found to have loopholes that allow unauthorised parties to snoop upon confidential discussions.

The vast majority of Twitter users may not be using the site in this way, but it’s clear that some are – and their confidence will have been shaken by this latest revelation.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.