Twitter has owned up to a privacy goof that exposed some Android users’ private tweets.
That would be bad enough if the problem existed for an hour, or a day, or a month. But unfortunately for Twitter (and affected users) the problem was present from November 3 2014 until January 14 2019.
That’s over four years.
The good news is that the problem only affected users of Twitter for Android who had enabled the “Protect your Tweets” setting. The vast majority of Twitter users don’t protect their tweets, and in fact when you create an account on Twitter it is public by default – meaning anyone can view and interact with your tweets.
Read more on HITB.org.
But here’s the thing: I had spotted what may have been related to the issue described above. And on December 17, I sent a message to @TwitterSupport via DM that asked them how I could notify them of a data security problem if I didn’t want to sign up or register on HackerOne. I didn’t want any bounty or anything — I just wanted to tell them what I was seeing so they could look into it.
Twitter didn’t respond appropriately.
They never gave me a way to report the concern to them, and never asked me to describe the security problem I was observing. Instead, they simply said, “Thank you for taking the time to report this to us. We’ll take a look and will follow up if we need additional info from you. Have you checked out our Help Center for troubleshooting tips? It’s a great resource for instant answers to the most common questions: https://support.twitter.com .”
They never contacted me to follow up to ask for details.
One month later, they went public with their statement about the leak.
So here we are now, more than two months after I contacted @TwitterSupport, and they still haven’t contacted me. Nor have they addressed my original question: how can people notify them of a security concern if they don’t want to register on HackerOne? Why should we have to register for anything just to notify a company that they appear to have a data leak or security vulnerability?
I am seriously disappointed that Twitter still hasn’t responded to this concern. As I’ve been advocating for more than one decade now, companies really need to give us a way to notify them via email on other online tool. It’s that simple. And if they don’t give us a way, then they should be hit with a big monetary penalty. I shouldn’t have to register with a bug bounty program just to let a company know that they are leaking what should be protected information.
I’ll tweet a link to this post on Twitter and hope that Twitter contacts me and addresses this concern. If they don’t contact me and/or remedy this issue, I’ll file a formal complaint with the FTC, and if any other consumer-oriented organizations or advocates or security researchers want to sign on, they are welcome to join me.
As much as I love Twitter, this needs to be addressed and I will not just forget about this concern.