Millions of Twitter DMs may have been exposed by year-long bug

Your private Twitter Direct Messages may have spilled over to a developer who was never meant to see them, thanks to a bug in one of the platform’s application programming interfaces (APIs).

It was very limited, and it was fixed lickety-split, Twitter said in an announcement on Friday. The bug doesn’t affect all your DMs; rather, it only involves messages and interactions with companies that use Twitter “for things like customer service,” the company said.

The buggy API was Account Activity (AAAPI): an API that allows registered developers to build tools that let businesses communicate with customers via Twitter. In some limited cases, under very specific circumstances, if you chatted with a business – say, an airline – or a Twitter account that happened to rely on a developer who used AAAPI to make the chat happen, your back-and-forth may have gone to another registered developer.

Likewise, if your business authorized a developer using the AAAPI to access your account, Twitter says the bug may have erroneously affected your activity data.

Twitter says that as far as it’s determined, it would take a “complex series of technical circumstances,” all happening at once, for the bug to have caused a leak to be sprung.

Twitter explains that the AAAPI sends data to registered developers who use that API based on their active subscriptions. The bug involved data being sent by Twitter to the wrong registered developer’s webhook URL.

When it was discovered two weeks ago, the microblogging platform shipped a fix to prevent data from being unintentionally sent to the wrong developer.

Less than 1% of users

Though the bug was present for over a year, Twitter hasn’t at this point discovered any instances where DMs or protected tweets were actually delivered to the wrong developer. But neither can it “conclusively confirm it didn’t happen,” so it’s notifying the “less than 1%” of Twitter’s 330 million users – who may have been affected.

To trigger the bug, all of the things in this list had to be true during the relevant time period: between May 2017 and within hours of Twitter discovering it on 10 September 2018:

  • Two or more registered developers had active AAAPI subscriptions configured for domains that resolved to the same public IP.
  • For active subscriptions, URL paths (after the domain) had to match exactly across those registered developers.
  • Those registered developers had activity relevant to their subscriptions occur in the same six-minute time period (relevant because of a cache-like behavior).
  • Those registered developers’ subscribers’ activities originated from the same backend server from within Twitter’s datacenter.

If all those technical circumstances were in place, transmission of activities to the wrong webhook URL could have persisted until one of the following conditions were met:

  • For up to two weeks, OR
  • Until no relevant activity occurred for six minutes, OR
  • Until the IP address of the developer whose data was being misdelivered changed.

Twitter’s still investigating the issue.

It’s contacting affected accounts directly via an in-app notice and on Twitter has also contacted its developer partners to make sure they’re “complying with their obligations to delete information they should not have,” it said.

Twitter emphasized that any developer who received such data unintentionally is one that’s registered with its developer program, which it’s been expanding in recent months to stamp out abuse and data misuse.

For example, in July, the company compelled all devs to register, limited them to 10 apps (though you could request permission if you needed more), imposed new rate limits for POST endpoints in order to cut down on spam posts, and said that it had kicked 143K bad apps off the platform between April and June.