Microblogging website Twitter doesn't delete your direct messages (DMs) even years after they have been deleted, reports TechCrunch.
According to a security researcher Karan Saini, Twitter preserves direct messages for years, not only those you and others have deleted but also those sent to and from accounts that have been deactivated and suspended.
"DMs are never “deleted”—rather only withheld from appearing in the UI. The archive feature lets you view these DMs, as well as any others with now suspended, or deactivated users."
Saini found he was able to access his years-old deleted messages from his account data retrieved from the official Twitter website.
Saini revealed another bug that he discovered a year ago but did not disclose until now. The bug allowed him to recover messages deleted from both the sender and the recipient but not from suspended Twitter accounts.
"Previously, it was possible to use the "direct_messages/show" endpoint (which is now deprecated) for the same purpose. I submitted the report for this to Twitter in January of 2018, and at the time, the team accepted the residual implications of the issue."
Although it is a "functional bug" and not exactly the security flaw, it allows any random user a "clear bypass" of Twitter procedures that prevent access to DMs sent to and from deactivated or suspended accounts.
Twitter is currently looking into this further to ensure they have "considered the entire scope of the issue.”