Twitter Bug Exposes User Information To 3rd Party Advert Providers

Twitter Bug Exposes User Information To 3rd Party Advert Providers

Micro-blogging site Twitter has disclosed that some of their advert partners are abusing a bug in their system that allowed the latter to extract user information without the consent of the account owner, also considered as an internal data breach. The bug was fixed just last August 5, 2019, as Twitter promised its entire userbase that a follow-up message to all victims of the bug abuse will be sent individually to address the concern. The permission failure bug’s existence was first known by some advert partners since May 2018, but Twitter has not named them, @TwitterSupport. That time, the micro-blogging site has not yet known the concrete details of the incident.

Due to a bug in Twitter for iOS, we inadvertently collected and shared location data (at the zip code or city level). We have fixed the bug, but we wanted to make sure we shared more of the context around this with you,” said @TwitterSupport.

The Account location data is held by Twitter in its user database as part of data privacy policy, but not really intended to be accessed by their partner advertisers. The location data is usually used for account recovery procedure, and not designed nor part of the company’s business to deliver such information to advertisers. To add insult to injury, when an account is affected by the bug, data extraction of location data can be done by a knowledgeable advert partner even without seeking the user’s consent.

If we can recall, the European Commission has strongly enforced GDPR for EU-member states and all companies that service EU citizens since May 25, 2018. This coincidence may trigger a GDPR penalty or fine against Twitter due to late public disclosure of the case. It took them more than a year to confirm the existence of the bug, which surely includes account information of an EU citizen.

As part of a process we use to try and serve more relevant advertising on Twitter and other services since September 2018, we may have shown you ads based on inferences we made about the devices you use, even if you did not give us permission to do so,” explained the Twitter team.

Investigations are still ongoing with partners with internal and external tech teams in order to determine the whole scope of the impact. Twitter also promised that any new findings that will be discovered shall immediately be publicly disclosed without any reservation. The micro-blogging site rallies its users to continue to support Twitter, as it is committed to user privacy and made a commitment to eliminating a repeat incident.

Any Twitter user who wishes to contact Twitter representatives may do so using a custom form that the company provided. This is a developing story, hence hackercombat.com will provide more updates as soon as new information becomes available. With Twitter users breaching the 321 million users since February 2019, it is prudent for us at hackercombat.com to continue monitoring the progress of the story. This is a critical story since many of our readers are Twitter users as well, we shall deliver you the updates at the soonest possible time.

Also Read,

Sprint Data Breach Due To Samsung.com Bug Revealed

Twitter Bug Carelessly Shared Location Data of Some iOS Users

Cisco To Pay $8.6 Million As Settlement For 5-Year Bug In Their Product

Julia Sowells946 Posts

Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register