Twitter Fleets bug let some scrape videos even after expiration

By JC Torres/Nov. 22, 2020 11:17 pm EST

Compared to the likes of Facebook and Instagram, which Facebook owns, Twitter's big changes are relatively more sporadic. It took years for it to extend its 140-character limit and, to this day, still won't let users edit their tweets. When it does push out changes, though, they're often big, controversial, and rarely gets reverted. Its latest feature, an unabashed Snapchat and Instagram Stories clone, is the latest proof of that and so far it has been a disastrous launch, including a potential privacy-violating bug.

We all knew it was coming ever since Twitter started testing its short-video format in Brazil months ago. Perhaps many hoped that Twitter would relent and wouldn't want to be labeled as a copycat. All those hopes were crushed last week when it did rollout Fleets to a wider public and it has gone downhill since.

Fleets, which reinforces human civilization's ever-shortening attention spans, are meant to be ephemeral, living only for 24 hours. Unlike Snapchat or Instagram, it blocks any form of interaction from viewers but also allows users to see who have seen their Fleets. Numerous users have complained about severe performance issues ever since Fleet started rolling out, forcing Twitter to slow down its pace without actually removing Fleets.

Now it seems that the feature had a rather serious bug that went unnoticed until a week after its launch. Although Fleets did disappear from your timeline after 24 hours, it was apparently still available for viewing beyond that using an app that exploited the bug in the feature's API and Twitter's servers. Even worse, those who access Fleets this way won't show up in the Fleet's "viewed by" list.

Given that Fleets are public, it's unlikely you'll be posting compromising content on Fleets anyway, at least not knowingly. It's still a rather basic bug that should have been checked even before its launch. TechCrunch's report also notes that, regardless of their 24-hour lifetime, Twitter itself will hold on to those Fleets for up to a month, sitting in their servers tempting hackers.