A security vulnerability in Twitter for Android could have allowed attackers to access some users' direct messages, the company has disclosed.
Twitter on Wednesday said it has fixed a vulnerability in the Android app that for some users "could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like direct messages), by working around Android system permissions that protect against this." This was "related to an underlying Android OS security issue" on Android OS versions 8 and 9, the company said.
Twitter said it believes 96 percent of Android users have a patch protecting them from the vulnerability, and it doesn't have evidence that attackers actually exploited the flaw, but the company adds it "can't be completely sure" of that. It's sending notifications to the users who may have been affected, requiring them to update the Android app, and promising to identify "changes to our processes to better guard against issues like this."
This disclosure from Twitter comes after the company last month grappled with a massive hack, in which high-profile accounts including those belonging to former President Barack Obama and former Vice President Joe Biden were taken over to promote a Bitcoin scam. The company said that 130 accounts were targeted, and the attackers accessed direct messages on "up to 36" of them, including that of an elected official in the Netherlands. Brendan Morrow