The bug will let anyone to access and download a user’s Fleets without triggering a notification that the user’s Fleet has been read and this bug could be used with an app, which communicates with Twitter’s back-end systems via its developer API.
Twitter had earlier said that even though the Fleets are designed to disappear completely, it could still hold on to them for 30 days if they violate their rules. That means using this flaw; a user can access and download Fleets with unique URLs from the server even after 24 hours.
A Twitter user named @donk_enby detailed this happening in a series of tweets. Twitter says it is aware of this and is working to fix it.