Twitter bug exposed nearly 100k protected accounts to unauthorized users
In a blog post published to Twitter’s site on Sunday this week, the company’s director of information security acknowledged that the flaw has been patched, but for the several months prior it could have allowed presumably private messages to be viewed by unauthorized users.
“We were alerted to and fixed a bug in our system that, for 93,788 protected accounts under rare circumstances, allowed non-approved followers to receive protected tweets via SMS or push notifications since November 2013,” Bob Lord blogged. “As part of the bug fix, we’ve removed all of these unapproved follows, and taken steps to protect against this kind of bug in the future.”
In Twitter jargon, “protected accounts” are ones that require the administrator of that handle to decide on an individual basis who they want to be able to view their tweets.
“People will have to request to follow you; each follow request will need approval,” Twitter says on their site’s page pertaining to protected accounts.
For the last four months, though, a bug allowed those nearly 100,000 allegedly protected accounts to broadcast messages that could be read by others. Luckily for Twitter, however, the proportion of accounts impacted by the bug makes up barely a fraction of the site’s total users: When Twitter filed paperwork last October with the Securities and Exchange Commission, it put its number of average monthly users at 218 million — or around 100 million a day. Taking into account those statistics, the 94,000-or so affected accounts represent about 0.00004 percent of all Twitter users.
On his part, Lord also offered Twitter users an online apology. According to some, though, the bug could have been enough to turn certain users off from the social networking site.
“While the scope of this bug was small in terms of affected users, that does not change the fact that this should not have happened,” Lord admitted. “We’ve emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies.”
“Fixed or not, let it be a reminder: if you’re posting stuff that you really don’t want anyone outside of a small group of people to see, Twitter … probably isn’t the right place for it,” Greg Kumparak wrote for TechCrunch on Monday.
Sunday’s announcement from Twitter came less than a week after the site unintentionally mailed out password reset emails to an unknown number of users.