Threat Watch

Users’ Geolocation Data Exposed by Bug in Twitter

Twitter discovered a bug in their app after geolocation data of users operating on iOS was inadvertently exposed to a third-party partner. If a user has two Twitter accounts and they have the precise location feature turned on for one of them but not for the other, the bug collected that location data. So essentially when the account that did not have precise location turned on was used on the device it automatically enabled the feature without the user’s consent. This resulted in the location then being shared with an advertising partner during a real-time bidding process. As soon as this was discovered, Twitter was able to cover the information and the only data able to be seen was the zip code and/or city. “We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time and was then deleted as part of their normal process,” claimed Twitter in a recent statement. All users who may have been impacted in this instance have been contacted in case any further action is taken in relation to the bug.

ANALYST NOTES

Unless it is absolutely necessary, users should consider disabling location features completely and even if they disable this, their IP address can still be accessed. Users can prevent this from happening by using VPN’s to hide their IP. Many times people have no idea what they’re sharing when they allow apps to access their location, so it is crucial for them to understand the risks of sharing geolocation.