Posted on

Twitter says Android security bug gave access to direct messages

Twitter says a security bug may have exposed the private direct messages of its Android app users, but said that there was no evidence that the vulnerability was ever exploited.

The bug could have allowed a malicious Android app running on the same device to siphon off a user’s direct messages stored in the Twitter app by bypassing Android’s in-built data permissions. But, Twitter said that the bug only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed.

A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher “a few weeks ago” through HackerOne, which Twitter uses for its bug bounty program.

“Since then, we have been working to keep accounts secure,” said the spokesperson. “Now that the issue has been fixed, we’re letting people know.” Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed.

The notice sent to affected Twitter users. (Image: TechCrunch)

Twitter said the vast majority of users had updated their Twitter for Android app and were no longer vulnerable. But the company said about 4% of users are still running an old and vulnerable version of its app, and users will be notified to update the app as soon as possible.

Many users began noticing in-app pop-ups notifying them of the issue.

News of the security issue comes just weeks after the company was hit by a hacker, who gained access to an internal “admin” tool, which along with two other accomplices hijacked high-profile Twitter accounts to spread a cryptocurrency scam that promised to “double your money.” The hack and subsequent scam netted over $100,000 in scammed funds.

The Justice Department charged three people — including one minor — allegedly responsible for the incident.

Read More

Posted on

Vicariously mimics another person’s Twitter feed using lists, but it violates Twitter rules

That Vicariously app you might have seen pop up in your twitter feed via a little viral growth hacking has run aground on Twitter’s automation rules. We reached out about it after it started spamming my feed with ‘so and so has added you to a list’ notifications and Twitter says that the app is not in compliance.

Updates below.

To be fair, they did also say they ‘love’ it — but that it will have to find a different way to do what it does.

“We love that Vicariously uses Lists to help people find new accounts to follow and get new perspectives. However, the way the app is currently doing this is in violation of Twitter’s automation rules,” Twitter said in a statement. “We’ve reached out to them to find a way to bring the app into compliance with our rules.”

The app was made by Jake Harding, an entrepreneur who built it as a side project.

The app, which you can find here, enumerates the followers of a target account and builds a list out of the accounts that it follows. This enables you to create lists that are snapshots of the exact (minus algorithmic tweak) feed that any given user sees when they open their app. Intriguing, right?

Well, it turns out Twitter has done this themselves twice before. Once in 2011 and originally waaaay back in 2009. The product had a built in feature that allowed you to just click through and view someone’s follower graph as a feed with a tap.

I was there in 2009 when it was a thing, and I can tell you that it was just flat out cool to see someone else’s graph going by. In the early growing days it was very interesting to see who was following who or what. It sort of taught you how to ‘do’ Twitter when everyone was learning it together. I can see why Harding wanted a duplicate of this in order to re-create this feeling of ‘snapshotting’ someone else’s info apparatus.

Unfortunately, one of the big side effects of the way that Vicariously duplicates this feature using an automated ‘list builder’ is that it spams every person it adds to the list given that Twitter always notifies you when someone adds you to a list and there is no current way to alter that behavior.

So you see a lot of ‘added to their list‘ tweets and notis.

There are also other issues with the way  that Vicariously works to build public lists of people’s follower graphs. There is potential for abuse here in that it could be used to target the people that a targeted account follows. One of the major reasons Twitter killed this feature twice is that the whole thing feels hyper personal. Your Twitter follower graph is something that you, theoretically, curate. Though a lot of people have become more performative with follows and instead, ironically, add the people they want to ‘follow’ to lists.

Having your graph public is something that felt exciting and connective at one point in Twitter’s life. But the world may be too big and too nasty now for something like this to feel really comfortable if it ever spreads beyond the technorati/Twitter power user crowd. We’ll see I guess.

Oh, and Twitter, it is about time you built in a ‘can not be added to lists’ feature. Otherwise, as someone reminded me via DM, you run the risk of making all of the same mistakes as Facebook.

Update July 27th 7:50PM PT. Harding posted some tweets from the official Vicariously account noting that he is adding some privacy controls to the app. He also notes that he’s hoping to work with the Twitter developer relations team to build out the product in a way that prevents abuse.

Read More