Twitter has admitted that an API bug has exposed messages of select users to external developers. The company in a blog post mentioned that they recently discovered a bug in their “Account Activity API (AAAPI)” that likely caused sharing of certain Direct Messages to developers outside the company.
Twitter cited that the bug ran from May 2017 and issue was fixed within hours of discovering it on September 10, 2018. The bug affected less than 1 per cent of users and it affected those who interacted with an account or business on Twitter that relied on a developer using AAAPI, the API that enables “registered developers” to build tools for better communications with customers on the platform.
Twitter in the blog post claimed that they shipped a fix to prevent data from being sent “unintentionally” to the wrong developer. However, the company has not confirmed how the exact number of users that were impacted by this bug.
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer. In some cases, this may have included certain Direct Messages or protected Tweets, for example, a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error,” Twitter said in its blog post.
Twitter noted that a “complex series of technical circumstances” was required for the bug to sent Direct Messages to the wrong source. The company said that it will contact users affected by this bug directly via an in-app notice and on their official site.
While this is a serious issue that might potentially hamper a user’s privacy on the platform, Twitter in its Developer blog mentioned that they are investigating the issue. The company mentioning only “one set of technical circumstances” that could have likely caused the issue said that they have already emailed “all” developers who are impacted by this bug.
“Based on the way the Account Activity API works, the issue itself would have involved data being sent by Twitter to the wrong registered developer’s webhook URL. This API sends data to registered developers who use the Account Activity API based on their active subscriptions.”
Notably, some users reacting to the API issue tweeted out the notice they received from the company. A Twitter spokeswoman (via CNBC) said that no private messages between ‘individual users’ were shared with external developers.