Twitter has warned Twitter for Android users worldwide about an “underlying Android OS security issue affecting OS versions 8 and 9” that could enable hackers to access the Direct Messages of around 4% of its user base worldwide.
The social networking giant announced today that hackers could work around Android system permissions to access private Twitter data, including direct messages, on Android devices. Even though 96% of Twitter for Android users already have an Android security patch installed on their devices to protect against this exploit, millions of people are still vulnerable to the exploit.
“We recently discovered a security issue in Android OS 8 and 9 that could have impacted you. Our understanding is 96% of people using Twitter for Android already have an Android security patch installed that protects them from this vulnerability,” Twitter said, adding that it does not have evidence that this vulnerability was exploited by hackers.
Twitter has advised users that in rather than completely relying on operating system protections, Twitter for Android users should update their Twitter application to make sure external apps can’t access Twitter in-app data. The vulnerability does not affect the Twitter for iOS application but users must update their apps whenever updates are made available by the company.
The vulnerability notification comes less than a week after three persons were charged in the United States for carrying out a spear-phishing attack targeting Twitter employees in July and hijacking 130 Twitter accounts belonging to politicians, celebrities, and musicians.
The widely-publicised hacking attack involved a group of hackers carrying out a “phone spear phishing attack” targeting employees who had access to Twitter’s account management tools. This way, the attackers obtained the credentials of some of the employees and used the credentials to access the company’s internal systems.
The attackers then proceeded to target additional employees who had access to Twitter’s account support tools. After obtaining their credentials, they targeted 130 Twitter VIP accounts, accessed direct messages of 36 accounts, tweeted from 45 accounts, and downloaded the Twitter data from seven accounts.
After gaining access to 130 Twitter VIP accounts, the hackers proceeded to tweet Bitcoin exchange deals, asking Twitter users to send certain amounts of BTC to a specified wallet address and receive a large sum in return. Considering these offers came from global celebrities themselves, many Twitter users fell for it, transferring more than $100,000 within a few hours before Twitter got the chance to sound an alarm
The blatant social engineering tactic involved hackers taking over the Twitter accounts of Tesla CEO Elon Musk, former Microsoft boss Bill Gates, former U.S. President Barack Obama, Democratic candidate Joe Biden, Amazon CEO Jeff Bezos, Michael Bloomberg, Kanye West, Kim Kardashian West, and the official Twitter accounts of Apple and Uber, among others.
A month before the spear-phishing attack took place, Twitter also suffered a data breach that resulted in business users’ billing information getting stored in the browser’s cache and possibly being accessed by those using shared computers. The security incident affected business users who paid for advertisements on the platform.
In 2018, Twitter also revealed the presence of a bug in its Account Activity API (AAAPI), that businesses used to communicate with customers, which resulted in Direct Messages going to the wrong recipients. The bug lasted for as long as 16 months before it was fixed.