UberSocial fixes direct-message privacy bug

UberSocial has fixed a bug in its Twitter software for mobile phones that put some users’ privacy at risk.

The flaw made direct messages public for a small number of users who may have used the company’s UberSocial and Twidroyd software in a very specific way, said Steve Chadima, chief marketing officer with UberMedia, the company that develops UberSocial. Users who typed “d username” and then sent direct messages longer than 140 characters could have had their messages viewed by anyone. Users who send direct messages using UberSocial’s default @username syntax were not affected, he said in an e-mail interview.

The flaw was fixed on UberSocial's back-end servers late Thursday, Chadima said.

UberSocial, formerly known as UberTwitter, fixed a similar problem about a month ago, but the company’s developers didn’t realize that it could be a problem if people typed “d username.”

“[N]o one thought of these rarely used conventions like ‘d username,’” Chadima said. These are “used almost exclusively by SMS tweeters, not those tweeting from apps that have buttons you can click or tap on to generate a direct message.”

“There are so few users that this actually affects that we hadn’t caught this until Twitter pointed it out,” he said.

Twitter warned users of the problem Thursday with a pair of messages from its @Safety account.

UberSocial says that millions of people have downloaded its software, which runs on the iPhone, BlackBerry and Android phones.

Product mentioned in this article

(1 items)

  • UberSocial Free
    Shop ▾
    Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.

    Get It for Free

Subscribe to the Best of Macworld Newsletter