Twitter Warns of Account Hijacking Flaw in Android App, Urges Immediate Updates

Twitter Warns of Account Hijacking Flaw in Android App, Urges Immediate Updates

Anyone running an older version of the Twitter app on Android might want to reconsider their update phobia. Twitter reports that a flaw in the app could have allowed an attacker to access accounts to see protected data and even post content as if they were the victim. The vulnerability is patched in the latest versions, but that won’t matter if you’ve got automatic updates turned off.

Twitter released scant details of the hack in its recent Privacy Center blog post. It only said that the process to break into an account via the Android app was “complicated” and involved injecting malicious code into restricted storage areas of the app. It did not specify whether or not someone needed physical access to the device, but that’s probably dependent on the availability of other exploits. By chaining several attacks together, it may be possible to remotely compromise the Twitter client.

Regardless of how difficult the attack was, taking over Twitter accounts is a high-reward attack. Someone could use this to push malware on large numbers unsuspecting Twitter users by taking over high-profile accounts. Imagine if Elon Musk’s real Twitter account suddenly tweeted a link to free Bitcoins. A lot of people would click of only out of sheer curiosity.

Twitter Warns of Account Hijacking Flaw in Android App, Urges Immediate Updates

Twitter pushed out a patch for this update in November. Users on Android 5.0 Lollipop or later should now be on v8.18 or later for full protection. Twitter even went to the effort of releasing an update for Android users on the ancient KitKat version of the OS (v7.93.4), also in November. The company waited until now to ensure most users would be updated. Even the vague explanation from the blog post could point online criminals in the direction of the flaw.

Twitter users with third-party clients are not affected by the bug, nor are those on iOS. You can all continue tweeting without hurriedly checking your client version. Android users on the old version of the official Twitter client should update immediately. It is also generally inadvisable to disable automatic updates in the Play Store. You can (and should) turn on automatic updates in the Play Store settings under “Auto-update apps.” You can choose between Wi-Fi only (the defaut), over any network, and not at all.

Continue reading

Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities

Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.

Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon
Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon

Not only does this include the Googley Android 11 enhancements, but it also has numerous Samsung-specific changes as part of the One UI 3.0 revamp.

Apple Urges Immediate iPhone Update to Block Active Online Hacks
Apple Urges Immediate iPhone Update to Block Active Online Hacks

There's a new version of Apple's iOS software for iPhone and iPad devices, and as usual, Apple is going to start pestering users to update. This time, the nagging for iOS 14.4 comes with a little more urgency.

Samsung Promises to Update Its Android Phones Even Longer Than Google
Samsung Promises to Update Its Android Phones Even Longer Than Google

Smartphone updates have been a mess for as long as the modern smartphone has existed, but Samsung just took a big step in the right direction: The company has decided to extend security update support to a full four years.