Twitter has started notifying users today about a dangerous security issue that can allow malicious Android apps running on users’ devices to access private Twitter data, including users’ direct messages (DMs).
According to a support document published today, Twitter said the bug existed because of an underlying vulnerability in the Android operating system itself.
Twitter didn’t specifically identify the Android OS bug, for safety reasons, but said the issue had been fixed since October 2018.
According to Twitter, the Android OS bug only impacted users of Android 8 (Oreo) and Android 9 (Pie), but not those on Android 10.
“Our understanding is 96% of people using Twitter for Android already have an Android security patch installed that protects them from this vulnerability,” Twitter said today.
“For the other 4%, this vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this.”
The company social network is now notifying users of the bug and urging them to update the “Twitter for Android” app if they’re using Android 8 or Android 9, where the issue can still be exploited.
The following message is currently being shown to users who are currently using an unpatched Android OS version or have used a vulnerable Android OS version in the past.
Twitter didn’t say how it found out about the issue but said that it hadn’t found any evidence the bug had been exploited in the wild prior to today. However, the company said that it wasn’t “completely sure” about this latter assessment.
The issue didn’t impact users utilizing the company’s iOS app or web portal.