Twitter discloses Firefox bug that cached private files sent or received via DMs

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Social networking giant Twitter disclosed today a bug on its platform that impacted users who accessed their platform using Firefox browsers.

According to Twitter, its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily.

Twitter said that once users left their platform or logged off, the files would remain in the browser cache, allowing anyone to retrieve it.

The company is now warning users who share workstations or used a public computer that some of their private files may still be present in the Firefox cache. Malware present on a system could also scrape and steal this data, if ever configured to do so.

This might include files sent or received via direct messages (DMs), data archive files downloaded from a profile's settings page, and others. Twitter said these files would remain on a system, even if the user logged off from their accounts.

The company said the bug's impact is somewhat limited as Firefox automatically purges all cached data older than seven days.

"If you use, or have used, a public or shared computer to access Twitter, we encourage you to clear the browser cache before logging out, and to be cautious about the personal information you download on a computer that other people use," Twitter said.

The cache can be cleared in Firefox by going to Tools > Options > Privacy & Security > Cookie and Site Data > Clear Data.

Twitter said it has now fixed this bug to prevent its platform from caching non-public information. The company also said the bug did not affect users using other browsers like Safari or Chrome.

firefox-clear-cache.png

Image: ZDNet​
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
First, it’s important to understand the risk: what we’re talking about is “cached” data. All web browsers store local copies of data they get from servers so that they can avoid downloading the same data over the internet repeatedly. This makes a huge performance difference because websites are full of large files that change infrequently. Ordinarily this is what you want, but if you share a computer with other people, then they might be able to see that cached data, even if you have logged out of Twitter. It’s important to know that this data is just stored locally, so if you don’t share a computer this isn’t a problem for you. If you do share a computer, you can make sure all of your Twitter data is deleted by following the instructions here. If you do nothing, the data will be automatically deleted after 7 days the next time you run Firefox.

Second, why is this just Firefox? The technical details are complicated but the high level is pretty simple: caching is complicated and each browser behaves somewhat differently; with the particular way that Twitter had their site set up, Chrome, Safari, and Edge don’t cache this data but Firefox will. It’s not that we’re right and they’re wrong. It’s just a normal difference in browser behavior. There is a standard way to ensure that data isn’t cached, but until recently Twitter didn’t use it, so they were just dependent on non-standard behavior on some browsers.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top