Twitter has fixed an embarrassing bug that impacted 93,788 users of the service, who mistakenly believed that they had control over who could see their micro-blogging updates.
Although the vast majority of Twitter users post publicly, and allow the world and their dog to read their tweets, a small proportion of more privacy-concerned users have chosen to only allow trusted contacts to view their messages, and block access for everyone else.
If you had a protected Twitter account, your tweets should only have been viewable and searchable by yourself and approved followers.
However, this weekend Twitter announced that it had fixed a vulnerability that “under rare circumstances”, had allowed followers who had not been approved by Twitter users to receive so-called protected tweets via SMS and push notifications.
According to a brief blog post by Twitter, the privacy hole has been present since November 2013, and has exposed the updates of 93,788 accounts that Twitter users believed to be protected.
Twitter says it has removed all of the unapproved follows, and apologised to affected users:
While the scope of this bug was small in terms of affected users, that does not change the fact that this should not have happened. We’ve emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies.
Twitter is right. This should never have happened.
Users have an expectation that sites like Twitter, which offer the option of private communication, will do what they claim rather than be found to have loopholes that allow unauthorised parties to snoop upon confidential discussions.
The vast majority of Twitter users may not be using the site in this way, but it’s clear that some are – and their confidence will have been shaken by this latest revelation.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.