Twitter API bug potentially allowed developers to read DMs and private accounts

Donna Miller
September 23, 2018

The 280-character shoutfest admitted on Friday that a bug present in one of its APIs from May 2017 to September 10, 2018, could have caused some messages to leak to certain third-party programmers.

Affected users are being notified via a message that appeared when opening the app or logging on to Twitter's website.

Twitter has not discovered any instances where DMs or protected tweets were delivered to the wrong developer. Users who interacted with accounts or businesses that relied on developers using the AAAPI may've had their direct messages or protected tweets sent to the wrong people. Twitter now has over 336 million users and one per cent means almost 3 million of those were affected.

According to a support page published today, Twitter said the bug was found in the Account Activity API (AAAPI), a system that allows Twitter business accounts to grant access to an account's data to multiple developers at the same time.

Britain preparing to set up internet regulator
Many are also anxious that regulators may overreach and penalize content arbitrarily, potentially infringing on free speech. The body will regulate broadcasters, telecoms and postal communications , it said .

The company said it'll contact people directly through an in-app notice and on Twitter's site if their account was affected by the bug. The company said it patched the flaw "within hours of discovering it". For this to occur, two or more registered developers had to share API subscriptions tied to the same public IP, URL paths had to match exactly across those IPs, and the information sent to developers had to originate from the same server in Twitter's datacenter.

"We're very sorry this happened", Twitter wrote.

"Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review", Twitter said in its statement.

Those users that were affected by the bug will be contacted directly by Twitter staff, it said, adding that the investigation into the issue was ongoing. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day".

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER