Micro-blogging site Twitter has reportedly been retaining messages shared on its platform including deleted messages along with data shared and received from accounts that have been suspended or deactivated, the media reported.
Earlier Saini claimed to have reported a similar bug, found a year ago that allowed him to use a since-deprecated application programming interface (API) to retrieve direct messages even after a message was deleted from both the sender and the recipient.
Previously, Twitter allowed users to delete messages from the chat itself with the "unsend" feature but now, users are only allowed to remove messages from their own account.
"We are looking into this further to ensure we have considered the entire scope of the issue," the report quoted a Twitter spokesperson as saying.
As part of its privacy policies, Twitter notes that anyone wanting to leave the service can have their account "deactivated and then deleted" and after a 30-day grace period, the account, along with its data, disappears from the platform.
"But, in our tests, we could recover direct messages from years ago - including old messages that had since been lost to suspended or deleted accounts. By downloading your account's data, it is possible to download all of the data Twitter stores on you," the report said.
According to the report, Saini believes this is a functional bug rather than a security flaw.
"Saini told TechCrunch that he had concerns that the data was retained by Twitter for so long but argued that the bug allows anyone a clear bypass of Twitter mechanisms to prevent accessed to suspended or deactivated accounts," the report added.
This issue could expose users, particularly high-risk accounts like journalists and activists to governments, which could demand for data from years ago.
Asked if Twitter thinks that consent to retain direct messages is withdrawn when a message or account is deleted, Twitter's spokesperson had "nothing further" to add, the report noted.