[BreachExchange] Twitter Tells Users Firefox Possibly Exposed Personal Information

[Destry Winant]

https://www.securityweek.com/twitter-tells-users-firefox-possibly-exposed-personal-information

Twitter informed users on Thursday that their personal information may
have been exposed due to the way the Firefox web browser stores cached
data.

The social media giant discovered recently that Firefox’s cache stored
some private information associated with the use of Twitter, including
sent or received direct messages and the downloaded data archive.
However, this would only be problematic on shared computers.

“We recently learned that the way Mozilla Firefox stores cached data
may have resulted in non-public information being inadvertently stored
in the browser's cache,” Twitter explained. “This means that if you
accessed Twitter from a shared or public computer via Mozilla Firefox
and took actions like downloading your Twitter data archive or sending
or receiving media via Direct Message, this information may have been
stored in the browser’s cache even after you logged out of Twitter.”

The company added in a message posted on Twitter, “There isn’t a
standard for how browsers cache downloaded data. We noticed that the
way Firefox stores cached Twitter data is different (but not wrong)
than other browsers and could put your non-public info at risk.”

Firefox only stores cached data for 7 days, which means the Twitter
data would have only been exposed for a limited period of time. Users
can also manually clear the cache, which Twitter recommends for users
who accessed Twitter from a shared or public device.

Twitter has made some changes on its end to ensure Firefox no longer
stores potentially sensitive information belonging to its users.
Safari and Chrome do not appear to be impacted.

Twitter has disclosed several security and privacy issues over the
past few years, including related to the use of account security
information for advertising, the Android app exposing protected
tweets, an API vulnerability exploited to match usernames to phone
numbers, the Android app allowing hackers to obtain sensitive data and
hijack accounts, and direct messages being exposed to third-party
developers.