The Twitter development team announced that they have recently discovered and fixed a serious security issue in their Android client. They have found out that attackers could have used a malicious app in order to lookup private Twitter data using the Android system permissions. Apparently the main fault lied from within the way the Android operating system is designed and affects mainly OS version 8 and 9.
Twitter Fixes Their Android Version After Critical Data Leakage Hack Method Was Discovered
The Twitter security today alerted site visitors that have installed the Android client about a new security issue which has been detected. According to their public notice the fault affects mainly Android 8 and 9 and the larger part of Twitter Android users have already patched their devices to protect themselves. The underlying weakness was identified in the Android mobile operating system itself — an issue that allowed attackers to program a malicious app installed on the local device to hijack sensitive Twitter data. The way Android works is by giving up the requested information according to the permissions levels which have been granted to a given app by the system. It appears that the potential attackers could have bypassed some of the security checks and allowed a specially programmed malware app to do that. What we know is that this can potentially work with direct messages.
At this moment there have been no reported cases of abuse. However given the potentially enormous impact of a scenario when the Twitter client is abused the company has released an updated Android client through the Google Play Store which adds secondary security precautions. Users that might be impacted are required to update to the latest version. In addition in-app notices will be issued to them. Twitter for iOS is not impacted as the permissions levels are managed using a different approach.