This article was published on May 14, 2019

Twitter bug accidentally shared location data of some iOS users

Twitter bug accidentally shared location data of some iOS users Image by: Pxhere
Ravie Lakshmanan
Story by

Ravie Lakshmanan

Twitter says it has fixed a bug that resulted in a user’s approximate location information being shared with an unnamed Twitter partner.

“We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances,” the company said in a blog post.

According to the post, the bug only affected iOS users of its Twitter app who had a second account on their phones. So if users had allowed Twitter to access precise location data on one account, the setting would automatically be applied to the other account(s), even when they did not opt in to location data sharing.

Twitter also noted that the collected information was then shared with a trusted partner for purposes of serving ads through a process called real-time bidding, but assuaged any privacy concerns by stating the location data was “fuzzed” to reduce its accuracy to the nearest zip code or city, and that the partner that inadvertently received the location data didn’t also receive their Twitter handle or unique account identifier.

“We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process,” it stated on the help site.

Although Twitter didn’t tell when the data sharing took place, the social media company said it has already notified impacted users, and urged users to revisit their privacy settings in light of the security incident.

It’s also worth noting that this security issue is Twitter’s fourth bug in the past year.

Last September, a bug in Twitter API accidentally exposed private messages and protected tweets to developers not authorized to read them.

In December, it notified that “state-sponsored actors” may have exploited a vulnerability in its online support form to obtain the country code of a user’s phone number and determine whether or not the account had been locked by Twitter.

In January this year, Twitter found a security flaw in its Android app causing private tweets of an unspecified number of users to be publicly available since 2014.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with