Twitter ‘incident’ leaves billing info stored in browser cache

A “data security incident” at Twitter caused billing information for companies using the social media company’s advertising and analytics platform to be stored in the browser’s cache.

While Twitter doesn’t believe the information – including the last four digits off credit card numbers, email addresses and phone numbers – has been compromised it can’t rule out others have had access to it, the BBC cited a Twitter email to customers as saying. "We're very sorry this happened. We recognise and appreciate the trust you place in us, and are committed to earning that trust every day,” the company said.

While browser cookies are a “double-edged sword” that “can help simplify the process of identifying a user and their preferences, they shouldn’t be a proxy for a database,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.

“In this case, it appears the development team for Twitter Business stored sensitive information in browser cookies and turned their browser cookies into a cache of database information,” Mackey said. “Not only does this presume that the user will always use the same device when accessing their Twitter Business account, but it also presumes the user has only one device since changes in information like updated billing information can’t possibly be sent to the browser cache of all devices when data updates happen.“

The issue may not have posed a risk for those using our personal computers, it does provide “a teachable moment regarding the risk of shared computers,” said Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT). “Whether you regularly rely on libraries or Internet cafes for access or just need to print the occasional boarding pass from a hotel lobby, there can be a risk of exposing personal data.”

Young recommends avoiding “using shared computers when entering or accessing personal data but this is not always an option. The next best solution is to bring your own web browser and take it with you when you go.”

Calling the “breach or leak, depending on its classification” concerning but “more of a nuisance issue than a full-blown event where Twitter knew about it and hid it from the world," James McQuiggan, security awareness advocate at KnowBe4, applauded Twitter for coming forth, being transparent, and correcting the issue.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.