Twitter says an Android security bug may have exposed the private direct messages of its Android app users, but said that there was no evidence that the vulnerability was ever exploited.
The bug could have allowed a malicious Android app running on the same device to siphon off a user’s direct messages stored in the Twitter app by bypassing Android’s built-in data permissions. But, Twitter said that the bug, patched in October 2018, only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed.
A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher “a few weeks ago” through HackerOne, which Twitter uses for its bug bounty program.
Twitter said the vast majority of users had updated their Twitter for Android app and were no longer vulnerable. But the company said about 4% of users are still running an old and vulnerable version of its app, and users will be notified to update the app as soon as possible.
Many users began noticing in-app pop-ups notifying them of the issue.
News of the security issue comes just weeks after the company was hit by a hacker, who gained access to an internal “admin” tool, which along with two other accomplices hijacked high-profile Twitter accounts to spread a cryptocurrency scam that promised to “double your money.” The hack and subsequent scam netted over $100,000 in scammed funds.