Twitter API Flaw Exposed Users Messages to Wrong Developers For Over a Year
September 23, 2018
Seid Yassin (557 articles)

Twitter API Flaw Exposed Users Messages to Wrong Developers For Over a Year

The security and privacy issues with APIs and third-party app developers are something that’s not just Facebook is dealing with.

A bug in Twitter’s API inadvertently exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers who weren’t supposed to get them, Twitter disclosed in its Developer Blog on Friday.

What Happened?
Twitter found a bug in its Account Activity API (AAAPI), which is used by registered developers to build tools to support business communications with their customers, and the bug could have exposed those customers’ interactions.

The Twitter AAAPI bug was present for more than a year—from May 2017 until September 10—when the microblogging platform discovered the issue and patched it “within hours of discovering it.”
In other words, the bug was active on the platform for almost 16 months.

How Did This Happen?

The bug resides in the way Twitter’s AAAPI works. If a user interacts with an account or business on Twitter that used the AAAPI, the bug “unintentionally” sends one or more of their DMs and protected tweets to the wrong developers instead of the authorized ones.

“Based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source,” Twitter explains.

“In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”

How Many Twitter Users Are Affected?
Although Twitter says it has not yet discovered any evidence that a wrong developer received DMs or protected tweets, the company also “can’t conclusively confirm it didn’t happen.”

Source | thehackernews