Posts Tagged ‘alert’

Privacy alert: Twitter disclosed email addresses when people sent DMs (UPDATED)

Friday, June 19th, 2009

UPDATE, 3 p.m. Pacific time: Twitter appears to have fixed the bug, and DMs from before June 11 do not appear to be affected.  But anybody you sent a DM to between June 11 and June 18 now has the email address you’re using on your Twitter account.

FYI – when you send a DM, the receiver CAN SEE YOUR EMAIL ADDRESS from the DM sent via email. BE AWARE!!! @twitter #security #fail

– ChicagoBungalow about 18 hours ago on Twitter

For those who aren’t on Twitter, a DM is a “direct message”, twitterspeak for a private message between two people.  When you receive a DM, Twitter notifies you via email.  And sure enough, just as ChicagoBungalow said, if I send you a DM, if you look at the email header information, you’ll see that the “Sender” field has an address like

twitter-dm-jon_pincus=yahoo.com@postmaster.twitter.com

This field is hidden by default — in gmail, you need to select “Show original” to see it — but once you find it, it doesn’t take a rocket scientist to figure out what yahoo.com account name I used to sign up on Twitter.

If I want somebody to have my email address, I’ll send it to them.  I don’t want Twitter giving it out for me. And most especially, I don’t want Twitter doing it behind my back.

jon

PS: I updated this post several times to clarify the description; thanks to all for the feedback, and @NiteStar for the gmail instructions.