Twitter notifies users about API bug that shared DMs with wrong devs

September 21, 2018 TH Author

Twitter has started notifying users today about an API bug that accidentally shared direct messages (private messages) or protected tweets from a user’s account with Twitter app developers.

According to a support page published today, Twitter said the bug was found in the Account Activity API (AAAPI), a system that allows Twitter business accounts to grant access to an account’s data to multiple developers at the same time.

Because of the bug, when regular Twitter users contacted Twitter business accounts that used the AAAPI, the bug send DMs and protected tweets to the wrong developers instead of the authorized ones.

Twitter said it discovered the bug on September 10, and fixed it the same day. They also said the bug was active between May 2017 and September 2018, for almost 16 months, and affected around one percent of Twitter users.

The bug represents a serious privacy issue, especially for Twitter business accounts that use DMs to handle customer complaints that in some cases may include private user information.

Earlier today, Twitter began showing popup messages to affected users accessing the Twitter website or mobile app.

Twitter also said it contacted developers who received the unintended data and the company is “working with them to ensure that they are complying with their obligations to delete information they should not have.”

“We’re very sorry this happened,” a Twitter spokesperson said. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

On September 12, the Twitter staff also modified the way third-party apps can access images shared via direct messages, but this issue doesn’t appear to be related to today’s notification.

In July, Twitter hardened developer account verification policies in order to fight off bot networks and propaganda campaigns. The company also removed more than 143,000 suspicious apps at the same time.

Article updated shortly after publication with additional data from a Twitter blog post offering more details about the issue. Title updated accordingly.