A bug that allowed Twitter users to spy on protected accounts, reading supposedly protected Tweets via SMS or push notifications, regardless of whether users had approved them as followers, has been removed by the social site.
In a blog post this week, Twitter’s Director of Information Security, Bob Lord said, “We were alerted to and fixed a bug in our system that allowed non-approved followers to receive protected tweets via SMS or push notifications. As part of the bug fix, we’ve removed all of these unapproved follows, and taken steps to protect against this kind of bug in the future.”
The site said that the bug had been active since November 2013, and affected nearly 100,000 protected accounts, according to The Register’s report.
Twitter’s Lord said, “While the scope of this bug was small in terms of affected users, that does not change the fact that this should not have happened. We’ve emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies.”
Twitter said that the bug had been brought to its attention by a member of the white-hat security community. Lord said that he wanted to thank the unnamed security tipster for, “helping us discover and diagnose the bug,” commenting that, “hese folks help us keep Twitter safe for everyone.”
BetaNews commented, “While it is appreciated that Twitter was forthcoming and quickly fixed the bug, it never should have happened. This could potentially result in dangerous situations.”
Author Rob Waugh, We Live Security