Skip to content
Naked Security Naked Security

Twitter bug exposed some Android private tweets to public view

The latest privacy glitch, which went unnoticed for over four years, may trigger yet another EU privacy probe.

In October, after Twitter refused to give a user information about how it tracks him when he clicks on links in tweets (as is the right of EU citizens under the newly passed, sweeping General Data Protection Regulation [GDPR] privacy law), Irish privacy authorities launched an investigation into the platform’s privacy practices.

Things could get hairier still, given the major privacy glitch Twitter disclosed on Thursday.

Twitter said that it had become aware of a bug that, under certain circumstances, switched private tweets to public view in Twitter for Android. That bug went unnoticed for four years, from 3 November 2014 until last Monday.

The bug disabled the “Protect your Tweets” setting for Android users if certain account changes were made, Twitter said. Namely, Android users would be well-advised to check their settings if they changed the email address associated with their account during that time period.

This doesn’t affect iOS or web users. Twitter says it fixed the issue on 14 January.

Twitter also turned “Protect your Tweets” back on for users it knows were affected. The thing is, the company isn’t entirely sure that it got to every affected account. Hence, it posted the notice in the Twitter Help Center and is encouraging people to review their privacy settings to make sure “Protect your Tweets” is still set correctly.

Graham X. Doyle, head of communications at the Irish Data Protection Commission (DPC), told Bloomberg Law on Thursday that the commission hasn’t yet launched a formal investigation into this new security flaw, but that it’s mulling the matter:

The [DPC] has been notified of this data breach and we are currently assessing its contents.

A company violating GDPR can face fines of up to 4% of its annual revenue.

Liz Kelley, a spokesperson for Twitter, told Bloomberg that it acted “immediately” to fix the problem once it was discovered. She said that Twitter’s also working with regulators to address the issue.

Twitter hasn’t put a number on how many users were affected.


Am I merely too “vintage” to envision why I might publish a tweet yet keep it private*? Tweeting seems to be an intrinsically public act (reliant of course upon other factors such as number of followers). What would be the purpose of a “private” tweet?

* Aside the obvious privacy concerns naturally, in a service whose software glitch alters my own preference.


Twitter itself quite reasonably warns you that you can’t stop your followers sharing protected tweets (e.g. via screenshot or copy-and-paste) – they just can’t retweet them via Twitter itself.

However, as Twitter concedes, the “protected” system wasn’t supposed to do what it did – no matter how weak a protection might be it ought to work as claimed! – so they have fixed it.

My own 2p is that if you feel strongly enough to use the “protected tweets” feature you should probably not use Twitter at all. My understanding is that the world mostly agrees because the “protected” feature is not widely used.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!