Naked Security Naked Security

Twitter bug leaks iOS users’ location data to partner

Now fixed, the bug affected some users with multiple accounts running on an iOS device.

On Monday, Twitter said that it goofed: it mistakenly collected and shared some accounts’ location data with one of its partners, even if a user hadn’t opted in to sharing the data.

The bug, which only affected some Twitter users, has already been fixed.

It involved inadvertently collecting and sharing location data at the postal code or city level. The bug specifically affected some people who were using more than one Twitter account on iOS and who had opted into using the precise location feature in one of those Twitter accounts. On the affected devices, the location data sharing accidentally spilled from one opted-in account to other, non-opted-in accounts on the same device, Twitter said.

Twitter told Engadget that employees discovered the glitch.

Separately, Twitter says it intended to remove location data from fields sent to a trusted partner during an advertising process known as real-time bidding. That didn’t go as planned. The partner couldn’t see precise locations, as in, it didn’t get more precise than a postal code or city – an area equivalent to 5km squared, Twitter said.

The partner couldn’t get a precise address or map precise user movements. Nor did the partner get Twitter handles or other unique account IDs that could have revealed users’ identities.

While that location data was pretty fuzzy, it never should have been collected, or shared with the partner, in the first place. But it also means that for those people using Twitter for iOS whose location data was inadvertently collected, Twitter also may have shared that data with an advertising partner.

Twitter said the partner only had the data in its system for a short time: it’s already been deleted as part of the company’s normal data-handling procedures.

How many users, for how long, when?

Twitter’s announcement was short on specifics. It didn’t disclose how many users were affected when the location data sharing bug was in effect, nor for how long, and it didn’t name the partner with which it shared the data.

Twitter disclosed another privacy-jeopardizing glitch in January when it disclosed a bug that, under certain circumstances, switched private tweets to public view in Twitter for Android. That bug went unnoticed for four years, starting in November 2014.

The bug disabled the “Protect your Tweets” setting for Android users if certain account changes were made, Twitter said. Namely, Android users were told they’d be well-advised to check their settings if they changed the email address associated with their account during that time period.

At the time, the Irish Data Protection Commission (DPC) said it was mulling whether or not it would launch a formal investigation into the flaw.

Users have been notified

Twitter said that it’s already told the users whose accounts were affected that the location data-sharing bug has been fixed. It invited users to check their privacy settings to make sure you’re only sharing the data you actually want Twitter to see, and that it’s “very sorry” it happened.

Twitter says that if you have any questions, you can get in touch with its Office of Data Protection through this form.

Leave a Reply

Your email address will not be published. Required fields are marked *