Twitter Fixes Bug that Enabled Takeover of Android App Accounts

2019-12-23T19:29:32
ID THREATPOST:64197BF5939DF43DB3DE1071D52C5AB1
Type threatpost
Reporter Tom Spring
Modified 2019-12-23T19:29:32

Description

Twitter for Android users are being urged to update their app to avoid a security bug that allows a malicious user to access private account data and could also allow an attacker to take control of accounts to send tweets and direct messages. The warning comes from Twitter who said there are no indications the flaw was exploited and that the fix requires a simple app update.

The company said impacted Twitter users will be contacted via email or via Twitter itself if they are vulnerable to attack. Some users impacted by the bug were sent a message that read: “Please update to the latest version of Twitter for Android as soon as possible to make sure your account is secure.”

In a post late last week, Twitter said to exploit the flaw a hacker must first insert malicious code into a restricted storage areas of the Twitter app. The company did not disclose any further technical details of the hack.

According to Twitter Support, the bug impacts older versions of Android and that versions 7.93.4 (KitKat – released Nov. 4, 2019) and version 8.18 (Lollipop – released Oct. 21, 2019) and after have already been updated with the fix. According to the Google Play download page for Twitter for Android the app was last updated Dec. 17, 2019.

> To provide more detail, this issue was fixed in Twitter for Android version 7.93.4 (released Nov. 4, 2019 for KitKat) as well as version 8.18 (released Oct. 21, 2019 for Lollipop and newer). Twitter for Android is no longer supported on Android OS versions older than KitKat. > > — Twitter Support (@TwitterSupport) December 20, 2019

Twitter also reminded users that it does not support Twitter for Android running on versions of Android older than KitKat, released October 31, 2013.

“If you’re unable to update your app, use https://twitter.com. We’re sorry about this and we’ll continue working to keep your information secure on Twitter,” Twitter Support wrote via Twitter.