Leigh Prather - stock.adobe.com

Twitter contacts business users over data exposure

Issue relates to how web browsers cached confidential data entered in Twitter’s ads and analytics services, but is unlikely to have resulted in compromise

Social media platform Twitter has begun contacting a number of business users in relation to a long-standing data security issue that may have seen their personal information exposed if a highly specific set of circumstances occurred.

Twitter told affected users that before 20 May 2020, if they viewed their billing information on ads.twitter.com or analytics.twitter.com, data including email addresses, phone numbers, the last four digits of credit card numbers, and billing addresses “may have” been stored in their browser’s cache.

Because most browsers generally store such data for a given period by default, if an affected user was using a shared computer, it would be possible for another user to access and view that data, the firm said in a disclosure email, a copy of which was seen by Computer Weekly.

“We’re very sorry this happened,” the organisation said in the email. “We recognise and appreciate the trust you place in us, and are committed to earning that trust every day.”

Twitter said that as of 20 May, the vulnerability has been fixed by updating the instructions Twitter sends to browser caches to prevent this from happening again.

The firm said it had no evidence that any billing information was compromised as a result of the vulnerability.

To exploit the vulnerability, an attacker would need physical access to the victim’s device, and would probably have to be known to the victim, so it is quite unlikely that any of the account data affected has been exfiltrated by cyber criminals.

Nevertheless, in a business context, there always exists an element of risk from malicious insiders, so Twitter said that if users do use a shared machine to access either their ads or analytics billing information, they should clear their browser caches when they log out, as a precaution.

At the time of publication, Twitter had not yet responded to a request for comment, so it is as yet unclear how many accounts may have been at risk of compromise, should the vulnerability have been exploited.

Martin Jartelius, chief security officer at Outpost24, agreed that the likelihood of compromise was slim. “This access has to be done on the computer on the same account as you used, or by a user with permissions to access the cached information,” he said.

Read more about data breaches

  • EasyJet is to be sued over a recent database and if successful its potential liability for the loss of millions of customer records could be as high as £18bn.
  • Marriott International notifies customers of a major data breach that unfolded earlier in 2020 – the second it has experienced in the past two years.
  • Court allows supermarket chain’s appeal against judgments holding it liable for a 2014 insider data breach, saying previous rulings misunderstood the concept of vicarious liability.

“Using personal accounts when using computers, and not accessing personal accounts from shared systems such as in a library, are good practice. Accessing any account from a system you do not control, such as in the case of a library or other shared systems, already means the information could be accessed by the owner of that system if they monitor your activity.”

Jartelius added: “The fact that Twitter is reaching out to their customers regarding this is a very strong statement regarding their focus on their customers’ privacy and security.”

Javvad Malik, security awareness advocate at KnowBe4, said: “This is a good proactive step taken by Twitter in notifying potentially impacted users. It appears as if this would only manifest as an issue in the event that a shared computer was used.

“It is worth users being mindful of what actions they perform on a shared device and should avoid logging onto accounts and making payments on shared or public devices unless absolutely necessary. If it does need to be done, they should ensure they are logged out of all accounts once they are done.”

Read more on Privacy and data protection