A Bug In One Twitter's API May Have Leaked Users DMs To Developers

Bugs can come in many forms, and most of the time, they could be around for a long time before being discovered.

Twitter is not as big and as complex as Facebook. It boasts a simple feed where everything happens. But simplicity doesn't guarantee that Twitter is free from bugs, as some Twitter users said that they received a message saying that their direct messages or protected tweets may have been sent to developers "who were not authorized to receive them."

The bug in question is related to Twitter's Account Activity API (AAAPI) where data being delivered can be sent to the wrong registered developer.

"If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer."

"In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error."

The bug was first discovered in September 10th, according to some users' concerns, but was active starting sometime in May 2017.

The social media said that the issue affected 1 percent of all its users, and there should be a specific set of circumstances to trigger this bug:

  1. Two or more registered developers had active AAAPI subscriptions configured for domains that resolved to the same public IP.
  2. For active subscriptions, URL paths (after the domain) had to match exactly across those registered developers.
  3. Registered developers had activity relevant to their subscriptions occur in the same 6-minute time period.
  4. Those registered developers’ subscribers’ activities originated from the same backend server from within Twitter’s data center.
Twitter's Account Activity API (AAAPI)
Twitter's Account Activity API allows developers to better build apps for companies to engage with customers through DM, chatbots, and others

Under those circumstances, if the bug occurred, the API transmit activities to the wrong webhook URL.

"If you are a developer who used the Account Activity API during the relevant time period for this issue (i.e., between the date you had access to the AAAPI and Sept. 10, 2018), we hope the above information is useful in assessing whether this issue may have impacted your services," said Twitter.

This is the second security breach the social media is experiencing in 2018.

Previously, Twitter said that it mistakenly saved users' passwords in plain text format in an internal log used by Twitter employees. When Twitter realized what had happened, it quickly urged all users to change their passwords.

"We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day," said Twitter.