Twitter has recently joined other social platforms by introducing a feature enabling users to share content designed to disappear after a set period. Known as Fleets, this functionality permits Twitter’s mobile users to publish brief updates, such as images or videos enhanced with accompanying text, which are automatically removed after 24 hours.

However, a technical issue arose where Fleets were not being deleted as intended, remaining accessible even after the 24-hour timeframe had passed. Information regarding this flaw was shared via a sequence of posts on Twitter on Saturday, just days following the feature’s initial release.

https://twitter.com/donk_enby/status/1329935540049817600

This bug essentially permitted anyone to view and save a user’s Fleets without the user receiving a notification indicating the Fleet had been viewed, or by whom. This raised concerns that the vulnerability could be exploited to create an archive of a user’s Fleets even after their intended expiration.

The discovery involved utilizing an application built to communicate with Twitter’s underlying systems through its developer interface. The application retrieved a listing of Fleets directly from the server, each possessing a unique web address. Accessing these addresses in a web browser displayed the Fleet content as either an image or a video. Notably, even after 24 hours, the server continued to provide links to Fleets that were no longer visible within the Twitter application itself. (Twitter subsequently challenged this finding.)

Upon inquiry, a representative from Twitter confirmed that a solution was in development. “We have identified an issue, accessible through a complex method, where some Fleet media links may remain available beyond the 24-hour period. A correction is being implemented and will be deployed soon.”

Twitter confirmed that the implemented fix ensures Fleets now expire correctly, but clarified that the content will not be immediately removed from their servers. They stated that Fleets may be retained for up to 30 days, and potentially longer if the content violates their established policies. We independently verified that Fleets could still be accessed via their direct links even after their scheduled expiration.