Twitter on Friday said that a recently-patched bug in its platform enabled software developers to read users’ private direct messages or protected tweets.
The bug ran from May 2017 until it was discovered on September 10 – after which Twitter patched the glitch to prevent data from being unintentionally sent to the incorrect developer. Twitter said that less than 1 percent of its over 335 million monthly active Twitter users were impacted.
The bug existed in Twitter’s Account Activity API (AAAPI), which allows registered developers to build tools to communicate with customers on Twitter.
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” Twitter said in a Friday post. “In some cases this may have included certain direct messages or protected tweets, for example a direct message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”
The bug may have occurred when two or more registered developers had AAAPI subscriptions configured for domains that resolved to the same public IP; or, if they had activity relevant to their subscription occur in the same six-month time period and if their subscribers’ activities originated from the same back-end server in Twitter’s data center. Also, for active subscriptions, URL paths (after the domain) had to match exactly across those registered developers for the issue to be triggered.
A Twitter spokesperson told Threatpost the company is confident that the data was not misused: “Any party that may have received unintended information was a developer registered through our developer program, which we have significantly expanded in recent months to prevent abuse and misuse of data,” the spokesperson said.
Nonetheless, impacted users, like Twitter user John Opdenakker, took to the platform to inquire about the issue.
Just got this Twitter data breach notification (Dutch)! Due to a bug probably 1 or more of your private messages or protected tweets were sent to #Twitter developers. Bug since may 2017 but only discovered 10 september 2018. No proof of abuse.#Infosec #cybersecurity #databreach pic.twitter.com/8oKMjnirbM
— John Opdenakker (@j_opdenakker) September 21, 2018
Katie Moussouris, founder of Luta Security, wanted to know which of her messages specifically were impacted and who had received them.
I just got this from Twitter, so I asked:
"I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised? pic.twitter.com/OILTbbw7uc
— Katie Moussouris (@k8em0) September 21, 2018
Twitter said its investigation is still ongoing, but any impacted users were notified through an in-app notice.
Earlier this year, Twitter in May said a flaw caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling to change their passwords. The social-media company said that it found and fixed the flaw, and that its investigation showed no indication of a breach or misuse.
Both incidents come as Twitter, among others like Facebook, struggle to bolster data-privacy protection efforts.