Security Experts:

Connect with us

Hi, what are you looking for?



Twitter Collected and Shared iOS Location Data

Twitter on Monday revealed that a bug in Twitter for iOS led to the micro-blogging platform inadvertently collecting location data and sharing it with a third-party.

Twitter on Monday revealed that a bug in Twitter for iOS led to the micro-blogging platform inadvertently collecting location data and sharing it with a third-party.

The company reveals that the data collection and sharing occurred only in certain circumstances and says that only one of their partners was involved in it. Nevertheless, this partner is an advertising company.

“Specifically, if you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,” the company reveals

The social platform also notes that it had intended to remove the location information from the data sent to “a trusted partner during an advertising process known as real-time bidding,” but that did not happen. 

The good news is that the technical measures Twitter had implemented to “fuzz” the data shared resulted in the partner receiving location information “no more precise than zip code or city (5km squared).”

Thus, the platform notes, the location data could not be used to determine a user’s address or to map their movements. No Twitter handle or other unique account IDs were shared, meaning that users’ identities on Twitter were not compromised. 

“This means that for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner,” the social platform notes. 

According to Twitter, the partner did not retain the data and only kept it in their systems for a short time, after which it was deleted as part of their normal process. 

The social platform says it has fixed the issue and that it also informed all those who were impacted. 

However, the company did not provide information on the number of affected users and did not reveal for how long it shared the data with its partner. 

“We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us. We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day,” Twitter says. 

Related: Bug Gives Twitter Apps More Permissions Than Shown

Related: Bug Exposed Direct Messages of Millions of Twitter Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.