A bug in Twitter's API inadvertently exposed some users' direct messages (DMs) and protected tweets to unauthorized third-party app developers who weren't supposed to get them, Twitter disclosed in its Developer Blog on Friday.
Twitter found a bug in its Account Activity API (AAAPI), which is used by registered developers to build tools to support business communications with their customers, and the bug could have exposed those customers' interactions.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The Twitter AAAPI bug was present for more than a year—from May 2017 until September 10—when the microblogging platform discovered the issue and patched it "within hours of discovering it."
In other words, the bug was active on the platform for almost 16 months.
"If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer," Twitter explains.
How Did This Happen?
The bug resides in the way Twitter's AAAPI works. If a user interacts with an account or business on Twitter that used the AAAPI, the bug "unintentionally" sends one or more of their DMs and protected tweets to the wrong developers instead of the authorized ones.
"Based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source," Twitter explains.
"In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error."
How Many Twitter Users Are Affected?
Although Twitter says it has not yet discovered any evidence that a wrong developer received DMs or protected tweets, the company also "can't conclusively confirm it didn't happen."
So, it is notifying potentially impacted people, which, according to Twitter, are less than 1 percent. Since Twitter now has over 336 million monthly active users, the bug could potentially affect more than 3 million people.
"Any party that may have received unintended information was a developer registered through our developer program, which we have significantly expanded in recent months to prevent abuse and misuse of data," the company says.It should be noted that the bug only involves users' DMs and interactions with companies that use Twitter "for things like customer service"—not all your DMs.
How Is Twitter Handling The Issue?
Twitter says the company has already contacted developers who received the unintended data and is "working with them to ensure that they are complying with their obligations to delete information they should not have."
Twitter says its investigation into the bug is still "ongoing," and assures its users that at the current moment, the company has "no reason to believe that any data sent to unauthorized developers was misused."
"We're very sorry this happened," Twitter says. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."
What Can Affected Users Do?
Nothing. Yes, you really can't do anything about your data which has already been gone into wrong hands.