Twitter bug shared location data for some iOS users

Twitter disclosed today a bug in its platform that impacted the privacy of some its iOS app's users.

"We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances," Twitter said.

The company said the bug only occurred on its iOS app where users added a second Twitter account on their phones. If they allowed Twitter access to precise location data in one account, then that setting was applied to both accounts managed via the iOS app.

This meant the app sent precise location data to Twitter, which then made it available to "a trusted partner during an advertising process known as real-time bidding," even for accounts users didn't agree to share such info.

However, Twitter said they were the only party who received precise location data, and not the advertiser, which was provided "fuzzed" geo-location data that was scrambled to reduce its accuracy to 5km squared boxes.

"We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process," the company said today on its help site.

Twitter said it already notified impacted users.

The fourth Twitter bug

This is Twitter's fourth bug in its platform disclosed in the past year.

In September 2018, Twitter said an API bug inadvertently shared some users' private messages with developers of apps they did not authorize to receive this data.

In December 2018, Twitter said a suspected nation-state hacking group exploited a vulnerability in its support form system to exfiltrate data from its platform.

In January 2019, a bug in Twitter's Android app accidentally made private tweets publicly accessible to everyone, including non-followers and search engines.

These are the worst hacks, cyberattacks, and data breaches of 2018

More data breach coverage:

• Indiana Pacers disclose security breach
• New leaks of Iranian cyber-espionage operations hit Telegram and the Dark Web
• US charges one of the Anthem hackers
• Turkey fines Facebook for December 2018 API bug
  
• Hackers are collecting payment details, user passwords from 4,600 sites
• Unsecured server exposes data for 85% of all Panama citizens
• Facebook passwords by the hundreds of millions sat exposed in plain text CNET
  
• Facebook data privacy scandal: A cheat sheet TechRepublic