A Twitter glitch “inadvertently” leaked iOS users’ location data to an unnamed partner.
Twitter has disclosed a security bug in its platform that it said inadvertently leaked iOS users’ location data.
The Twitter for iOS bug leaked location data at the ZIP code or city level, according to the social media company’s announcement on Monday. Twitter stressed that it has fixed the bug, but offered scant details on when the bug was discovered, how many users were impacted, and who specifically actually accessed the location data.
“If you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,” Twitter said in a Monday post.
Twitter said that the glitch occurred during an advertising process known as Real-Time Bidding, and resulted in the location being sent to an unnamed partner. Real-Time Bidding allows Twitter advertisers to use partners’ systems to bid, buy and serve ads for social-media campaigns.
According to Twitter’s page, it shares device-level data, including demographic data, through these partnerships to help advertisers decide when to purchase ads and what ads to serve.
“For example, Twitter might share that a mobile device identifier corresponds to a male user, aged 25-34, in order to help advertisers serve ads better suited to that audience,” according to Twitter’s Help Page. “Twitter does not share your name, email, phone number or Twitter handle with [Real Time Bidding] partners. These partners may, however, connect the device-level data we share to a user’s name, email, phone number or other personal data based on other information in the partner’s possession (for example if the user signed up for an account with that partner’s service). These partnerships require that they get your consent before doing so.”
However, Twitter said it had intended to remove location data from the Real-Time Bidding fields sent to the partner – but that this “removal of location did not happen as planned.”
As a result, “for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner,” Twitter said.
The company sought to downplay the situation, saying it had implemented technical measures to “fuzz” the data shared, so that it would not be more precise than ZIP code or city location data; so that data cannot be used to determine an address or to map users’ precise movements. Twitter also stressed that the partner did not receive data such as Twitter handles or other unique account IDs that could have compromised user identities on Twitter – and that the location data has not been retained.
“We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process,” said Twitter.
This latest bug in Twitter’s platform is not the first vulnerability that the social-media platform has disclosed. In January, Twitter disclosed a security issue that had exposed protected tweets on Android devices for more than four years.
In December 2018, two recently-patched flaws were disclosed, including a hole that accidentally enabled bad actors to pull the country codes of accounts’ phone numbers – and revealed that several IP addresses located in China and Saudi Arabia may have been trying to access the exposed data.
And in September 2018, Twitter said that a recently-patched bug in its platform enabled software developers to read users’ private direct messages or protected tweets. In May 2018 meanwhile it said a flaw caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling to change their passwords. The social-media company said that it found and fixed the flaw, and that its investigation showed no indication of a breach or misuse.
Twitter did not respond to a request for comment from Threatpost by press time regarding the timeline and scope of the leak.