Twitter notifies users about API bug that shared DMs with wrong devs

Twitter said the API bug was active between May 2017 and early September 2018, for nearly 16 months.
Written by Catalin Cimpanu, Contributor

Twitter has started notifying users today about an API bug that accidentally shared direct messages (private messages) or protected tweets from a user's account with Twitter app developers.

According to a support page published today, Twitter said the bug was found in the Account Activity API (AAAPI), a system that allows Twitter business accounts to grant access to an account's data to multiple developers at the same time.

Also: Why hiring more cybersecurity pros may not lead to better security TechRepublic

Because of the bug, when regular Twitter users contacted Twitter business accounts that used the AAAPI, the bug send DMs and protected tweets to the wrong developers instead of the authorized ones.

Twitter said it discovered the bug on September 10, and fixed it the same day. They also said the bug was active between May 2017 and September 2018, for almost 16 months, and affected around one percent of Twitter users.

The bug represents a serious privacy issue, especially for Twitter business accounts that use DMs to handle customer complaints that in some cases may include private user information.

Earlier today, Twitter began showing popup messages to affected users accessing the Twitter website or mobile app.

Twitter also said it contacted developers who received the unintended data and the company is "working with them to ensure that they are complying with their obligations to delete information they should not have."

"We're very sorry this happened," a Twitter spokesperson said. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."

On September 12, the Twitter staff also modified the way third-party apps can access images shared via direct messages, but this issue doesn't appear to be related to today's notification.

Also: Apple reassures customers after teen is busted for hacking it CNET

In July, Twitter hardened developer account verification policies in order to fight off bot networks and propaganda campaigns. The company also removed more than 143,000 suspicious apps at the same time.

Article updated shortly after publication with additional data from a Twitter blog post offering more details about the issue. Title updated accordingly.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards