According to TechCrunch via Digital Trends, security researcher Karan Saini divulged his findings of Twitter’s odd kink of not actually erasing user-deleted private messages, but rather just prevent them from appearing on their website and app.
Saini had even found direct messages linked to old accounts which were deleted. According to TechCrunch, Saini was able to access said messages via a bug that exploits deprecated APIs. These messages we’re retrievable even though they were deleted by both the sender and receiver.
Folks are having some trouble understanding this, so here is a short summary:
DMs are never “deleted”—rather only withheld from appearing in the UI. The archive feature lets you view these DMs, as well as any others with now suspended, or deactivated users https://t.co/IXRdT6G9i6— Karan Saini (@iasni) February 16, 2019
According to Digital Trends, Twitter lets you recover a deleted account within 30 days of the action; upon exceeding the 30-day limit, Twitter, by right, should completely wipe all data linked to the account, including messages. This discovery has suggested that this is untrue.
Saini believes that this is a bug rather than a security flaw. But regardless of what it is, people’s privacies are at stake – whether Twitter are keeping messages deliberately or not, it begs the question if data is being kept and sold. Given the popularity, you’re talking about personal data belonging to millions of individuals being kept by one organization; now that’s sketchy.