Posted on September 26, 2018 at 8:57 AM
Thanks to an API bug, numerous third-party app developers got access to protected tweets and private messages of some Twitter users.
Privacy and security issues have been a part of the internet ever since it came to be. These days, however, it would seem that more and more bugs are being found in various apps, and these vulnerabilities are often responsible for private data leaks. Such instances were even reported on large social networks like Facebook, and now — Twitter.
Recently, a bug was discovered in Twitter API, and according to experts, it exposed significant amounts of private messages and even protected tweets. Third-party app developers are supposedly the only ones who managed to access this content, even though that was not supposed to happen. Twitter itself addressed the issue in their blog post published on Friday.
The bug was found in Twitter’s AAAPI (Account Activity API). This is what registered app developers can use for creating different tools for supporting business communication with customers. The bug seems to have exposed the interactions of specific customers, and the wrong developers managed to get access to these interactions.
According to experts, this is not a new bug, and it was, in fact, present for over a year — from May 2017 to September 2018. The issue was eventually discovered and patched within a few hours. However, the bug was still active for over 16 months, and there is no way of determining just how much private information could have been collected during this period.
According to reports, the bug resided in the way AAAPI’ works. If a business relied on AAAPI and was contacted by the user account, the bug would send a certain amount of protected tweets and DMs (Direct Messages) to the wrong developer. Instead of authorized developers receiving such data, another, third-party would get it without even asking for it.
Twitter claims that this happens due to a “complex series of technical circumstances” that have occurred at the same time. The result was the private information being sent to the wrong recipient.
The consequences of the bug
Twitter tried to determine just how many users may have been affected by the bug, but this has proven to be more complicated than it sounds. The company did not even find proof that any wrong developer actually received protected tweets and DMs. However, they also cannot confirm that such cases did not happen. Because of this, the best that they can do for now is give an educated guess of less than 1% of users being affected by the bug.
While this seems small at first, it should be noted that Twitter currently has over 336 million active users per month. With that in mind, it can be calculated that the bug may have affected over 3 million accounts, at best. The positive thing is that the bug only involves messages sent between the user and various companies that have a presence on Twitter. As such, it is most likely that the only leaked data includes customer service only. Private DMs are in no danger of being affected by the bug.
As for Twitter, the company claims that the relevant developers are already contacted and that they are currently working together to ensure that all wrongfully sent data will be deleted. Apart from that, Twitter is conducting the investigation into the bug. They also claim that there is no reason to believe that any of this data is, or has been, misused in any way.
As for the affected users themselves, there is really nothing that they can do at this time. The data has already reached “wrong hands”, and it has likely been in the possession of wrong developers for months at this point. Because of that, not much can be done right now, apart from what Twitter is already doing.