A vulnerability in Twitter for Android could have permitted attackers to accessibility private direct messages (DMs) and other details.
Twitter has fastened a vulnerability in its Android app, which could have enabled attackers to access non-public Twitter information, like direct messages (DMs) on Android products.
The flaw is linked to an underlying Android functioning procedure (OS) security issue (CVE-2018-9492), which influences running method variations 8 and 9, explained Twitter. This substantial-severity flaw, which was first disclosed by Google in 2018, stems from the checkGrantUriPermissionLocked ingredient of the ActivityManagerService.java aspect in Android. The vulnerability could help the attacker to bypass permissions – primary to community escalation of privilege.
From there, “this vulnerability could enable an attacker, by means of a malicious application mounted on your machine, to access personal Twitter facts on your gadget (like Immediate Messages) by doing work all around Android method permissions that shield against this,” explained Twitter in a Wednesday submit.
Twitter explained that 96 percent of Android buyers with the Twitter app presently have an Android security patch put in, which safeguards them from this vulnerability – but the remaining 4 per cent of Twitter for Android people had been however affected.
We recently fastened a vulnerability caused by an fundamental Android Security issue with Android OS Variations 8 and 9. We never have proof that it was exploited, but we are becoming careful. Some of you on Android will be asked to update your Twitter application.https://t.co/50fTcnHVEO
— Twitter Aid (@TwitterSupport) August 5, 2020
Twitter mentioned it does not have evidence that the flaw was exploited by attackers.
The information will come days after Twitter acknowledged it may perhaps be going through a Federal Trade Fee (FTC) good of up to $250 million. The penalty was because of to Twitter admitting in October that person phone figures and email addresses gathered for security uses, as component of its two-component authentication (2FA) policy, may possibly have been utilized for targeted promotion.
It also will come weeks just after a recent significant-profile Twitter hack that compromised 130 accounts of significant-profile people these types of as Bill Gates, Elon Musk, Apple and Uber – to boost a bogus advance-fee cryptocurrency offer. As section of this attack, the negative actors were in a position to access direct messages (DMs) for 36 of the 130 superior-profile users whose accounts ended up hacked.
Twitter for its aspect explained going ahead, it has up to date Twitter for Android to make guaranteed that external apps can not accessibility Twitter in-application info by adding extra protection safety measures further than normal OS protections demanding any person impacted to update Twitter for Android and sending in-application notices to anyone who could have been vulnerable.
“Your privacy and have confidence in is significant to us and we will keep on functioning to maintain your knowledge safe on Twitter,” explained Twitter.
Threatpost has attained out to Twitter for additional information and facts.
Complimentary Threatpost Webinar: Want to master extra about Private Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security authorities from Microsoft and Fortanix together to discover how Confidential Computing is a match changer for securing dynamic cloud info and preventing IP exposure. Be a part of us Wednesday Aug. 12 at 2 p.m. ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – the two with the Private Computing Consortium. Register Now.