A bug in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers.
“We recently published a notice about a bug related to our Account Activity API that could have resulted in data being delivered to the wrong registered developer.” reads a security advisory published by Twitter.
“As part of our ongoing investigation, we have already emailed all developers who may have been impacted, and want to provide some additional details to potentially affected developers here.”
The Account Activity API (AAAPI) allows registered developers to build applications that could manages the full set of activities related to an Twitter account, including Tweets, DM
The bug in the Twitter AAAPI was introduced in May 2017, it was discovered in September 10 and patched”within hours of discovering it.” The problem only caused the exposure of users’ DMs and interactions with companies that use Twitter “for things like customer service.”
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer.” states Twitter.
Experts from Twitter confirmed that if a user interacts with an account or business on Twitter that used the AAAPI, the issue causes the unintentional sharing of one or more of their DMs and protected tweets to the wrong source.
“In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer.” continues Twitter.
“It is important to note that based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong sourc”
The company is notifying potentially affected users, according to Twitter less than 1 percent of the users have been affected (more than 3 million people).
Twitter has already contacted developers who received the unintended data and is “working with them to ensure that they are complying with their obligations to delete information they should not have.”
The company is still investigating the issue.
(Security Affairs – Twitter Account Activity API, data leak)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.