Just when Twitter was planning to go big by offering advertisers the opportunity to use their platform, the company recently had to bear a ‘data security incident’ that involves the storage of billing information in the browser’s cache.
The news of data breach first got revealed by customers who use Twitter ads and Analytics Manager as they received an official email by Twitter explaining how information like email addresses, phone numbers, last four digits of credit cards, and billing address of users were being stored incorrectly in the browser’s cache.
The letter further stated that Twitter has updated the instructions on May 20th, 2020 that are sent to the browser’s cache so such a breach doesn’t occur again but that also means that any billing information which you may have checked on ads.twitter.com or analytics.twitter.com before the time period may still be at the risk of exposure. This is because most browsers keep the data stored in the cache for 30 days minimum and if the same computer is being used by multiple people, then they can have access to that information.
Fortunately, for now, there hasn’t been any proof of sensitive information being compromised of any user but that doesn’t also mean that nothing can happen in the future. As a security precaution, the email from Twitter Business department also suggests that users should also clear the web browser caches upon logging out.
Twitter has openly apologized for the mishap and has even promised the users that nothing of such sort will ever happen again.
A glimpse of the network requests which return sensitive JSON fields, it seems like Twitter has made the right fix. Now instructions are being sent with "cache-control: no-store" headers which means that browsers are strictly instructed to not store any information.
A good example of its practical implication can be JSON Fields returned by the `tax_settings` API endpoint. As there is a lot of information about the business customer, the endpoint now uses 'cache-control: no-store' header to stop the similar information from being cached.
The would have been a greater risk of the data breach if malware developers could have come to know about the bug. But for now, everything is under control as malicious actors cannot come to the computer desk to access such information directly.
Featured Photo: @ravinepz / unsplash
Read next: You better get used to the name ‘tracking beacons’ instead of Cookies
The news of data breach first got revealed by customers who use Twitter ads and Analytics Manager as they received an official email by Twitter explaining how information like email addresses, phone numbers, last four digits of credit cards, and billing address of users were being stored incorrectly in the browser’s cache.
The letter further stated that Twitter has updated the instructions on May 20th, 2020 that are sent to the browser’s cache so such a breach doesn’t occur again but that also means that any billing information which you may have checked on ads.twitter.com or analytics.twitter.com before the time period may still be at the risk of exposure. This is because most browsers keep the data stored in the cache for 30 days minimum and if the same computer is being used by multiple people, then they can have access to that information.
Fortunately, for now, there hasn’t been any proof of sensitive information being compromised of any user but that doesn’t also mean that nothing can happen in the future. As a security precaution, the email from Twitter Business department also suggests that users should also clear the web browser caches upon logging out.
Twitter has openly apologized for the mishap and has even promised the users that nothing of such sort will ever happen again.
A glimpse of the network requests which return sensitive JSON fields, it seems like Twitter has made the right fix. Now instructions are being sent with "cache-control: no-store" headers which means that browsers are strictly instructed to not store any information.
A good example of its practical implication can be JSON Fields returned by the `tax_settings` API endpoint. As there is a lot of information about the business customer, the endpoint now uses 'cache-control: no-store' header to stop the similar information from being cached.
The would have been a greater risk of the data breach if malware developers could have come to know about the bug. But for now, everything is under control as malicious actors cannot come to the computer desk to access such information directly.
Featured Photo: @ravinepz / unsplash
Read next: You better get used to the name ‘tracking beacons’ instead of Cookies