Twitter's SMS bug exposed protected tweets to unauthorised users

Twitter logo

Twitter has fixed a bug that resulted in protected tweets reaching unauthorised users via SMS and push notifications.

We've removed all of these unapproved follows, and taken steps to protect against this kind of bug in the future.

A protected Twitter account allows the administrator to limit who can see their Tweets, but this bug - in operation since November last year - ignored the fact the accounts were restricted and allowed everyone to see the tweets.

"We were alerted to and fixed a bug in our system that, for 93,788 protected accounts under rare circumstances, allowed non-approved followers to receive protected tweets via SMS or push notifications since November 2013," said Bob Lord, Twitter's director of information said in a blog post.

"As part of the bug fix, we've removed all of these unapproved follows, and taken steps to protect against this kind of bug in the future."

The bug was identified and reported by Twitter's white hat security community members of the Twitter community and independent security researchers who find and report any potential security flaws to the social network.

Lord said although the impact of the flaw "was small in terms of affected users, that does not change the fact that this should not have happened. We've emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies."

Last week, Twitter accidentally sent out an email to some users, urging them to reset their password due to unusual activity on their account.

The email read: "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account. You'll need to create a new password for your Twitter account."

It then urged people to change their password by clicking on the link, which could have easily been mistaken for a phishing email.

Shortly after sending the email out, Twitter followed up with a statement saying: "We unintentionally sent some password reset notices tonight due to a system error. We apologise to the affected users for the inconvenience."

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.