
Twitter for Android Security Vulnerability - mayakacz
https://privacy.twitter.com/en/blog/2020/twitter-for-android-security-vulnerability
======
JoshTriplett
Better yet: don't install the Twitter app, and instead use m.twitter.com,
which works perfectly and stays entirely within the browser's sandbox as it
should.

You can have a separate icon for that as though it were an app, and if you
_really_ want to, you can enable push notifications just as you could with an
app.

~~~
tgsovlerkhgsel
I'm often getting some form of "you're rate limited", "not allowed to perform
this action" etc. until I hard-reload the full page.

Given that others have reported it, and it's been there for a long time, I
suspect Twitter at the very least intentionally doesn't put too much resources
behind the web site to force people to use the app.

Of course, if a service _really_ wants to push an app onto me, it's clear that
the app gives them some real benefits, and its usually the kind that aren't a
benefit for me (more tracking, better ways to push ads, more "engagement"
notifications, ...). So the harder something wants to push an app, the clearer
it is that I never, ever want their app to touch my device.

~~~
xur17
> I'm often getting some form of "you're rate limited", "not allowed to
> perform this action" etc. until I hard-reload the full page.

I thought I was the only person dealing with this.. It happens for pretty much
every tweet that I open in a browser. After a refresh, everything loads fine,
but it's quite annoying.

~~~
thekyle
Yeah, I always thought it was because I use a VPN but maybe not.

------
anonu
identified October 2018

fixed August 2020

Good job Twitter

[https://source.android.com/security/bulletin/2018-10-01](https://source.android.com/security/bulletin/2018-10-01)

~~~
Jonnax
The security patch from Google is from October 2018 it looks like.

So Twitter is to blame for not coding a mitigation for vulnerable devices? Or
is it the phone manufacturer's fault for not releasing security patches for
their phones?

------
EE84M3i
Strangely, I got a notification for this on twitter.com on Win 10 Chrome and
it said "you are no longer using a vulnerable version of Anrdoid on this
device".[1] I do use Twitter for Android on my phone, so maybe they sent the
notifications to anyone using it but they forgot it could be displayed in the
web interface too.

I find the "Our understanding" language strange. Presumably this number comes
from some kind of metrics, but it seems like a bit of CYA language?

Still, appreciate the heads up for something they AFAIK didn't have any
obligation to give a notification for.

[1] [https://i.imgur.com/8dJ9Eq3.png](https://i.imgur.com/8dJ9Eq3.png)

~~~
dijit
I got this notification on my iOS device, I have never used twitter on
Android. I think they just sent it out to everyone.

------
ufmace
They're awfully vague about exactly what the vulnerability was and what could
exploit it. I thought the sandboxing between apps would be quite solid and
well-tested. Did that break somehow, or did the Twitter app have some kind of
insecure API for other apps to interface with the local Twitter app?

------
ISL
If only old hardware/phones could get OS security updates by any mechanism.

I have a growing drawer of old hardware that is perfectly functional but no
longer updateable.

~~~
Jonnax
Likely with locked bootloaders as well!

There needs to be a law that states that once a company stops supporting s
device they must release the keys to allow users to modify their devices
themselves.

------
moonbug
I got this alert and have _never_ installed any Twitter app.

