Twitter discloses another vulnerability in its Android app that could have allowed access to DMs

Today, Twitter has disclosed a vulnerability within its Android app that, if exploited, could have allowed malicious parties access to private user data including DMs and more.

In a brief post, Twitter explains that a recently-discovered vulnerability has existed in the company’s Android app which could have allowed other apps with malicious intent the ability to see private Twitter data on your device. Apparently, this issue was related to a problem that Google fixed in October 2018’s security patch which means that 96% of Twitter for Android users were not vulnerable to this issue.

Fortunately, Twitter is unaware of any cases of the 4% of users who were vulnerable to this issue that affected Android 8 and Android 9. To keep those users safe, though, Twitter is requiring its latest update on Android which fixes the vulnerability as well as implementing in-app safety precautions. In-app notices, as seen below, are also rolling out to some users.

We recently discovered and fixed a vulnerability in Twitter for Android related to an underlying Android OS security issue affecting OS versions 8 and 9. Our understanding is 96% of people using Twitter for Android already have an Android security patch installed that protects them from this vulnerability. For the other 4%, this vulnerability could allow an attacker, through a malicious app installed on your device, to access private Twitter data on your device (like Direct Messages) by working around Android system permissions that protect against this.

We don’t have evidence that this vulnerability was exploited by attackers. But, because we can’t be completely sure, here’s what we’re doing to keep the small group of potentially vulnerable people safe:

  1. Updated Twitter for Android to make sure external apps can’t access Twitter in-app data by adding extra safety precautions beyond standard OS protections
  2. Requiring anyone that may be impacted to update Twitter for Android
  3. Sending in-app notices to everyone who could have been vulnerable to let them know if they need to do anything
  4. Identifying changes to our processes to better guard against issues like this

This, notably, isn’t the first vulnerability Twitter has disclosed in its Android app. Not long ago, a similar problem was made public to users after a fix was available.

Dylan Roussel contributed to this article.

More on Twitter:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Schoon Ben Schoon

Ben is a writer and video producer for 9to5Google.

Find him on Twitter @NexusBen. Send tips to or encrypted to

Ben Schoon's favorite gear