Twitter announced Friday that it has patched a serious vulnerability in the official Twitter client for Android.
According to the announcement on the company’s blog, the bug “could allow a bad actor to see nonpublic account information or to control your account (i.e., send Tweets or Direct Messages). Prior to the fix, through a complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app, it may have been possible for a bad actor to access information (e.g., Direct Messages, protected Tweets, location information) from the app.”
The company does not have any evidence the vulnerability was actually exploited, but is choosing to error on the side of caution. Twitter is contacting—via email or the app—any users who could have been exposed and providing instructions on what they should do.
In the meantime, all Android users should update to the latest version, where the vulnerability has been fixed. iOS users are in the clear, as the bug appears to have only impacted the Android client.