Naked Security Naked Security

If you think your deleted Twitter DMs are sliding into the trash, you’re wrong

They're never deleted, just erased from the UI. You can still see archived messages if you download your data.

You can’t erase your Twitter footsteps, it turns out: what goes into Twitter stays lodged in its guts for years.

That’s because of a glitch that a bug hunter is calling a “functional bug.” The bug, discovered by security researcher Karan Saini, keeps direct messages (DMs) from being completely deleted, regardless of whether you or others have deleted the messages or even if the accounts that sent or received the DMs have been deactivated and suspended:

Saini told TechCrunch that he found years-old messages in a file when he downloaded an archive of his data from Twitter accounts that he’d previously deleted.

You can download data from your own account(s) here to get an idea of everything that Twitter collects, and retains, on you.

The researcher says that he reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve DMs even after a message was deleted from both the sender and the recipient. That earlier bug couldn’t get at DMs from suspended accounts, however.

According to Twitter’s privacy policy, when you delete your account, everything is supposed to go up in smoke after a grace period of 30 days:

When deactivated, your Twitter account, including your display name, username, and public profile, will no longer be viewable on, Twitter for iOS, and Twitter for Android. For up to 30 days after deactivation it is still possible to restore your Twitter account if it was accidentally or wrongfully deactivated.

…with the exception of log data, which it keeps for up to 18 months. Log data includes information such as IP address, browser type, operating system, referring web pages, pages visited, location, mobile carrier, and device information.

Back in 2013, Twitter users could “unsend” DMs, meaning that they could rub them out of someone else’s inbox by simply deleting the messages from their own. Years ago, Twitter changed that: users can now only delete messages from their own accounts. From Twitter’s help page:

When you delete a Direct Message or conversation (sent or received), it is deleted from your account only. Others in the conversation will still be able to see Direct Messages or conversations that you have deleted.

According to Fortune, Saini reported the bug through HackerOne, a bug bounty platform that works with Twitter.

A Twitter spokesperson told TechCrunch that as of Friday, the company was looking into the matter “to ensure we have considered the entire scope of the issue.” Twitter also told Fortune that the issue is “still open,” so as of Saturday, they couldn’t publicly comment on specifics.

Like Saini, Twitter is also calling this a “functional bug,” as opposed to a “security bug.” Its spokespeople declined to comment when TechCrunch asked if Twitter considers account deletion to be akin to withdrawing consent to retain direct messages.

I asked Twitter for comment and will update this article if I hear back.

Leave a Reply

Your email address will not be published. Required fields are marked *