Introduction

Imagine installing a seemingly harmless app on your Android phone — no permissions requested, no red flags raised. Yet, the moment you open Twitter and allow it to access your location, that harmless app starts tracking you in real time.

In a shocking vulnerability reported in Twitter’s Android application, security researcher mishre uncovered a critical privacy flaw: Twitter was unknowingly broadcasting users’ location data to every installed app on the device — no permissions required.

Let’s break this down, from impact to exploitation, and see how something as small as an unsecured broadcast can lead to complete location compromise.

The Vulnerability in Plain Terms

At its core, the issue lies in how Twitter’s Android app was handling location updates. When a user enabled the location feature in a tweet, Twitter would:

• Access the device’s GPS data.
• Create a broadcast intent containing this location.
• Send this intent without restricting which apps could receive it.