Twitter API Bug Might Have Exposed Your Direct Messages To The Wrong Developers

Twitter’s direct message feature appears to be an easy and secure way to communicate with one another. On a platform where users put up almost everything publicly, direct messages remain private. Nonetheless, Twitter has warned the users of a recent flaw that could have compromised your private messages. The Twitter API bug caused inadvertent sharing of your direct messages with some of the wrong developers.

Users’ Private Messaged Shared Wrongly Due To A Twitter API Bug

On Friday, Twitter put up a blog post informing the public about an API bug that has affected some of the users. Before that, it notified the users affected by the vulnerability via pop-ups and a separate notification. Reportedly, a flaw in the Account Activity API (AAAPI) wrongly shared some users’ private messages or tweets with Twitter developers.

The Twitter API bug existed on the systems for about a year, precisely, it affected the API since May 2017. Then, it got fixed only on September 10, 2018, after the Twitter officials noticed it. Regarding those affected by this bug, Twitter explained,

“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer… Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”

What Triggered The Bug?

Twitter confirms that the bug only affected 1% (or less) of its users and of that percentage only those under certain circumstances. Reportedly, Twitter has shared four different technical situations that could have triggered the bug.

“We have validated that this bug might have occurred when all of the following technical circumstances were true during the relevant time period for this issue:

  • Two or more registered developers had active Account Activity API subscriptions configured for domains that resolved to the same public IP;

  • For active subscriptions, URL paths (after the domain) had to match exactly across those registered developers — e.g. https://example.com/[webhooks/twitter] and https://anotherexample.com/[webhooks/ twitter ];

  • Those registered developers had activity relevant to their subscriptions occur in the same 6-minute time period (relevant because of a cache-like behavior); and

  • Those registered developers’ subscribers’ activities originated from the same backend server from within Twitter’s datacenter.”

If all of the conditions were met, then the bug might have affected the user for a certain period. Precisely, it could have been there for six minutes (in case of no relevant activity during this time), for two weeks or potentially until the IP address of the developer changed.

Twitter Patched The Flaw

Although, the Twitter API bug remained active on the system for more than a year, Twitter fixed it quickly on the same day of noticing it. Moreover, they are also ensuring the removal of information received by the developers through any wrong messages or tweets shared with them.

In addition, they began investigating the matter and confirmed no malicious effect of the bug.

“Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review.”

They will however continue to investigate about the other enterprise partners who may have possibly been affected by the bug.

We shall keep you updated as we get more details regarding this matter.

Let us know your thoughts in the comments section.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil