Twitter has confirmed a bug in its account activity API (AAAPI) primarily affecting direct messages and interactions with companies that use the platform for customer service.
AAAPI is an API designed to let registered developers build tools to facilitate communication between businesses and customers via Twitter. Under specific circumstances, if a user chatted with a company on Twitter, and that company relied on a developer that used AAAPI to enable the chat, their DMs or protected tweets may have gone to another developer, Sophos reports.
The bug ran from May 2017 to September 10, 2018, when it was detected and addressed within hours of its discovery, Twitter says in a statement. The bug affected less than 1% of users, and the company immediately released a fix to prevent data from going to the wrong developers.
Based on its initial analysis, Twitter says "a complex series of technical circumstances had to occur at the same time" for this bug to have led to account data being shared with the wrong source. For example, two or more registered developers would have had to have active AAAPI subscriptions configured for domains that resolved to the same public IP.
Twitter is contacting account holders affected by this bug via in-app notifications and on twitter.com. It has also contacted developer partners to ensure they are complying with obligations to delete data they shouldn't have, and it states that anyone who mistakenly received the wrong information is part of its developer program, which was recently expanded.
Read more details here.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.