Twitter revealed on Monday that a bug in its iOS app – which it has fixed – had caused users’ location data to be collected, even if the users had not chosen to share the data. The company said it accidentally shared this data with one of its partners. It did not name the partner, but said the bug had affected iOS users who used more than one Twitter account. “If you opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s),” the company wrote. Twitter said this information was then shared with one of its partners during an advertising process known as real-time bidding. The company said it had intended to remove location data from the fields but “this removal did not happen as planned”. Twitter said, however, that it had “fuzzed” the data so that it was no more precise than zip code or city (5 km squared). This meant it could not be used to determine an address or map precise movements. “We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process,” Twitter wrote.

Twitter has been operating under a consent decree by the US Federal Trade Commission (FTC) since June 2010, when it settled an investigation into its lax security practices and protection of user accounts after two high-profile hacking incidents the previous year, one of which involved an account used by Barack Obama. The FTC said at the time:

Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorised access to non-public information and honour the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.

Fourth Twitter bug since September 2018

This is the fourth bug the Twitter has found since September 2018. Here are the other three:

  • ‘Protected tweets’ setting disabled automatically: In January, Twitter said that a bug in its Android app, dating back to 2014, caused the ‘Protect your Tweets’ setting to be disabled if certain account changes were made. It said Android users who had protected Tweets turned on, and made certain changes to account settings between November 3, 2014 and January 14, 2019 may have been affected.
  • Country codes of users’ phone numbers and their account status compromised: In December last year, Twitter reported a vulnerability in one of its support forms that could be used to discover the country code of users’ phone numbers associated with their Twitter account, and determine whether or not the account had been locked. In its investigation, Twitter noticed “unusual activity” on the affected customer support form API. “Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” the company wrote.
  • Protected tweets, private messages shared with developers: In September 2018, a bug in Twitter’s API led to protected tweets and private messages being shared with to developers not authorised to read them. The bug, which had run from May 2017, was fixed hours after Twitter discovered it on September 10, 2018. The company said it affected less than 1% of people on Twitter.