Twitter on Tuesday notified business clients that their personal information, including email addresses, phone numbers, and the last four digits of their credit card numbers may have been compromised. However, Twitter says there’s no evidence that this has happened so far.
Self-serve advertisers that viewed billing information on ads.twitter.com or analytics.twitter.com were affected when Twitter updated instructions it sends to browser caches to prevent this from happening.
The issue occurred prior to May 20, 2020, but Twitter only notified customers about it on June 23.
Self-serve advertisers, who are SMBs, were affected. Twitter launched a service in 2012 that let SMBs buy and place ads on its platform. It’s now available to customers in more than 200 countries worldwide.
Customers who have additional questions can write to Twitter’s Data Protection Officer.
Root of the Problem
Twitter’s systems failed to send a JSON header which specified browsers shouldn’t cache billing information and the browsers defaulted to caching the information, according to BBC journalist Alex Martin.
Maybe a leak, but not a breach. Brief explanation: Twitter was failing to send a JSON header which specified browsers shouldn't cache billing information, so the browsers defaulted to caching it. That's all that was happening. Very limited risk profile…https://t.co/62cPKP01xG
— Alexander Martin (@AlexMartin) June 23, 2020
It’s likely that the header was never set, and Twitter rolled out a change May 20 to address the situation, Craig Young, a computer security researcher at Tripwire, told TechNewsWorld.
“This is the kind of bug that could have existed since the advertising and analytics platforms launched,” Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, told TechNewsWorld. “Or, it could have been inadvertently introduced at any point since.”
Why the JSON header was omitted will not be clear without Twitter publishing its own root cause analysis, Clements said, but it’s “likely due to an inadvertent coding change that was not properly caught during security reviews rather than a malicious attacker action.”
Current coding practice is likely the cause, he suggested. “The mantra of ‘move fast and break things’ many start-ups adopt means, unfortunately, that security best practices for preventing and detecting such errors are often missed, and it’s customers that pay the price.”
Why the Delay in Notifying Clients?
It’s been more than a month since Twitter fixed the problem but the delay in notifying clients is not cause for concern, James McQuiggan, a security awareness advocate at KnowBe4, told TechNewsWorld.
“With a large organization like Twitter, this would trigger their incident response teams,” he said. “Since it involves customers, they have to bring in their legal team, communications, the C-suite et cetera. How quickly they communicate to the public depends on their Enterprise Risk Program.”
Once Twitter had reviewed the issues, identified the root cause and fixed the leak, technical teams would provide communication statements to legal for review, more meetings would follow, and the information would then be released.
“A month seems excessive,” Clements said. Still, it’s possible there were other confounding factors, such as determining which customer accounts may have been affected by the bug, and it’s possible that Twitter did not deem the potential risk to users as a high enough priority to rush out notifications.
The Scope of the Problem
How long the sensitive data was stored in clients’ browser caches would depend on how much space the browsers have for caching and how much cacheable content was loaded, Young said.
“There is no distinct time limit on how long the sensitive data may be stored in the cache unless it was tagged with an expiration date,” he added.
Still, “the lack of this security control was never a considerable threat to most users” except to those of shared computing systems, many of which are already configured to clear the cache between sessions, Young noted.
Any sensitive information that was cached would be limited to the local device used to access the information, Clements pointed out. As long as no other parties had access to the device and it hadn’t been hacked, the data would not have been compromised.
Further, Web browsers may be cleared or expire on their own based on the configuration of the device. This could also limit how long data is stored locally in the cache.
The sensitive data stored is not immediately dangerous by itself and stealing it would require attackers to have access to each customer’s device, Clements. said. “A malicious attacker that gained access to Twitter development required to introduce this issue would have much more attractive targets for theft and data disclosure.”
Twitter’s Ad Sales
News of the data leak will not impact Twitter’s ad sales badly, Ray Wang, a principal analyst at Constellation Research, told TechNewsWorld.
In February, Twitter reported ad revenues of US$885 million, up 12 percent YoY, for Q4-2019. Its Q1-2020 report, filed in April, said total ad revenue for that quarter fell about 27 percent YoY because of the pandemic.
By and large, though, the pandemic “has been good for most social networks as engagement has gone up and time spent on them has increased,” Wang said.