A bug in Twitter Account Activity API exposed users messages to wrong developers

An issue in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to wrong developers.

A bug in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers.

“We recently published a notice about a bug related to our Account Activity API that could have resulted in data being delivered to the wrong registered developer.” reads a security advisory published by Twitter.

“As part of our ongoing investigation, we have already emailed all developers who may have been impacted, and want to provide some additional details to potentially affected developers here.”

The Account Activity API (AAAPI) allows registered developers to build applications that could manages the full set of activities related to an Twitter account, including Tweets, DM

The bug in the Twitter AAAPI was introduced in May 2017, it was discovered in September 10 and patched”within hours of discovering it.” The problem only caused the exposure of users’ DMs and interactions with companies that use Twitter “for things like customer service.”

“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer.” states Twitter.

Twitter Account Activity API bug

Experts from Twitter confirmed that if a user interacts with an account or business on Twitter that used the AAAPI, the issue causes the unintentional sharing of one or more of their DMs and protected tweets to the wrong source.

“In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer.” continues Twitter.

“It is important to note that based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong sourc” 

The company is notifying potentially affected users, according to Twitter less than 1 percent of the users have been affected (more than 3 million people).

Twitter has already contacted developers who received the unintended data and is “working with them to ensure that they are complying with their obligations to delete information they should not have.”

The company is still investigating the issue.



Pierluigi Paganini

(Security Affairs – Twitter Account Activity API, data leak)


The post A bug in Twitter Account Activity API exposed users messages to wrong developers appeared first on Security Affairs.

Leave a Reply