Twitter has said that a recently-patched bug in their platform had enabled unauthorized third-party developers to read users’ private messages or protected tweets.
Twitter found a bug in its Account Activity API (AAAPI), which permits registered developers to build tools to support communications with their customers. The bug ran from May 2017 which was discovered on September 10. Immediately Twitter patched it to prevent data from being unintentionally sent to the unregistered developer.
Twitter explains that “If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer.”
The bug remains due to the way the Twitter’s AAAPI works and it may have occurred when two or more registered developers had AAAPI subscriptions configured for domains that resolved to the same public IP. If a user interacts with an account on Twitter that used the AAAPI, the bug inadvertently sends one or more of their DMs and protected tweets to the wrong developers instead of the authorized ones.
Twitter explains that “Based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source. In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”
Twitter claims that they have not yet discovered any proof that a wrong developer received DMs or protected tweets but they are not able to confirm about the same.
According to Twitter less than 1 percent of its over 335 million monthly active Twitter users were impacted which comes to more than 3 million users.
Twitter spokesperson says that “Any party that may have received unintended information was a developer registered through our developer program, which we have significantly expanded in recent months to prevent abuse and misuse of data.”
However, it should be noted that the bug involves only user’s DMs with companies that use twitter “for things like customer service” and not all your DMs.
The company has already contacted developers who received the unintended data and is making sure that they are complying with their commitment to delete information they should not have.
The investigation into the bug is still “ongoing,” and Twitter assures its users that they their data sent to unauthorized developers was not misused.
However, there is nothing which can be done about the data that has already gone into wrong hands.