Twitter has patched an issue that could have been leveraged to see the tweets of protected accounts via SMS or push notifications.
Since November 2013, users could have viewed the tweets of protected accounts without being an approved follower via push notifications or SMS. The company says the issue could have been exploited only “under rare circumstances” to see the tweets of over 93,000 protected accounts.
Twitter has also removed the unapproved follows and emailed each of the impacted customers not only to inform them of the flaw, but also to apologize to them.
The issue has been reported by a member of the IT security community, but Twitter doesn’t say who it is.
I think this is the first privacy issue addressed by Twitter this year. Last year in November, security researcher Henry Hoggard identified a cross-site request forgery (CSRF) vulnerability that could have been leveraged by hackers to read users’ direct messages and even post tweets on their behalf.
Basically, the CSRF security hole could have been exploited by an attacker to add his own phone number to a targeted account. Once the number was added, the hacker could have abused SMS commands to control the hijacked profile.