Twitter Retains Old DMs Even After They Are Deleted: Report

Share on Facebook Tweet Share Reddit Comment
Twitter Retains Old DMs Even After They Are Deleted: Report

Highlights

  • A security researcher found years-old messages in a file from an archive
  • The message archive belonged to accounts that were deleted
  • Saini believes this is a functional bug rather than a security flaw

Micro-blogging site Twitter has reportedly been retaining messages shared on its platform including deleted messages along with data shared and received from accounts that have been suspended or deactivated, the media reported.

"Security researcher Karan Saini found years-old messages in a file from a data archive obtained through the website from accounts that were no longer on Twitter," TechCrunch reported on Saturday.

Earlier Saini claimed to have reported a similar bug, found a year ago that allowed him to use a since-deprecated application programming interface (API) to retrieve direct messages even after a message was deleted from both the sender and the recipient.

Previously, Twitter allowed users to delete messages from the chat itself with the "unsend" feature but now, users are only allowed to remove messages from their own account.

"We are looking into this further to ensure we have considered the entire scope of the issue," the report quoted a Twitter spokesperson as saying.

As part of its privacy policies, Twitter notes that anyone wanting to leave the service can have their account "deactivated and then deleted" and after a 30-day grace period, the account, along with its data, disappears from the platform.

"But, in our tests, we could recover direct messages from years ago - including old messages that had since been lost to suspended or deleted accounts. By downloading your account's data, it is possible to download all of the data Twitter stores on you," the report said.

According to the report, Saini believes this is a functional bug rather than a security flaw.

"Saini told TechCrunch that he had concerns that the data was retained by Twitter for so long but argued that the bug allows anyone a clear bypass of Twitter mechanisms to prevent accessed to suspended or deactivated accounts," the report added.

This issue could expose users, particularly high-risk accounts like journalists and activists to governments, which could demand for data from years ago.

Asked if Twitter thinks that consent to retain direct messages is withdrawn when a message or account is deleted, Twitter's spokesperson had "nothing further" to add, the report noted. 

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: Twitter
Facebook 'Intentionally' Violated UK Privacy and Competition Rules, British Lawmakers Say
Xiaomi Mi 9 Display Features Teased Ahead of February 20 Launch
 
 

Advertisement

 

Advertisement