clock menu more-arrow no yes mobile

Filed under:

Twitter bug may have sent users’ Direct Messages to external developers

New, 1 comment


Photo by Michele Doying / The Verge

A bug in how Twitter’s platform is accessed by third-party app developers may have exposed certain Direct Messages of select users to developers who do not work for Twitter, the company disclosed in a blog post today.

Twitter says the bug was active starting sometime in May 2017, and it issued a fix within hours of discovering the bug on September 10th, 2018. It affected less than 1 percent of users, and the Direct Messages affected were between users and accounts or businesses that relied on a certain API designed for customer service interactions. Twitter’s example is a Direct Message with an airline that uses a developer account to access the affected API, which is known as the Account Activity API (AAAPI).

“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” reads the post. “In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”

Twitter says a “complex series of technical circumstances” was required to result in your Direct Messages being sent to the wrong source, and it details those circumstances in a separate blog post. It also says it has no evidence that any Direct Messages were indeed sent to the wrong party, but it cannot rule out the possibility while the investigation is ongoing. Still, it’s a serious bug that doesn’t bode well for the privacy and data protection of users on the platform.

Twitter says it’s contacting affected users through its mobile app and website, and it’s working with developers to ensure anyone who received unauthorized information deletes it. Earlier this year, the company admitted to accidentally storing user passwords in plain text and advised all 330 million of its users at the time to change their login credentials.

Update September 21st, 3:21PM ET: Clarified that Twitter says it has no evidence that Direct Messages were sent to the wrong party, but that it cannot rule out the possibility it may have happened. The headline has been updated to reflect this fact.