DM on Twitter turned out to be recoverable as data remains after several years since deleting account

by Andy Melton

Twitter's direct message (DM) is a function that allows you to exchange messages without shedding exchanges on the timeline with other Twitter users. Security researcher Karan Saini pointed out that such a DM message can restore the contents even if several years have passed since deleting the Twitter account.

Even years later, Twitter does not delete your direct messages | TechCrunch

Twitter DMs Still Available to Download Years After Being Deleted | Digital Trends

In DM, it is possible to "delete messages" from each other, but even if you later delete messages sent by this side Twitter account, the history of the transmission content will remain on the other side's DM screen. If the other party also deletes the same message, messages deleted from both DM screens will not be visible.

Twitter also says that users have the right to delete accounts and delete data, but also stated that they can revive accounts within 30 days after deletion. This is something like a remedy when accidentally deleting an account.

However, Saini said that even if both of these exchanges deleted the DM, deleted the account, even if several years have passed since 30 days, the contents of the DM can be restored And that. "We are concerned that Twitter holds user data for quite a long time," Saini said.


Mr. Saini seems to have succeeded in getting deleted account data several years ago when it was already archived through Twitter's website, among which DM contents were recorded. Also, it is said that we were able to acquire the contents even for messages deleted by both parties who are exchanging DMs using a security-friendly API.

Account data can be downloaded from "Twitter data" in Twitter settings.

Actually TechCrunch tried the method used by Mr. Saini and it was possible to obtain the data of the Twitter account which was stopped already and it contained the DM message sent and received in March 2016 That's right.

Mr. Saini says "It is a functional bug rather than a security flaw" about the fact that the DM of the account that was supposed to have been deleted is still recorded by Twitter. However, this way of restoring the account data allows anyone to have "clear bypass" to the deleted account, so even if the user chooses to "delete" on Twitter, in fact It means that it has not been deleted.

Twitter spokeswoman stated that this issue is currently under investigation.

in Web Service,   Security, Posted by log1h_ik