Twitter: Don't panic, but we may have leaked your DMs to rando devs

Internet outrage mobile insists year-long API bug would have been super-hard to exploit

panic

Twitter is in full damage control mode after disclosing that it may have inappropriately exposed some unlucky twits' private tweets and direct messages to strangers.

The 280-character shoutfest admitted on Friday that a bug present in one of its APIs from May 2017 to September 10, 2018, could have caused some messages to leak to certain third-party programmers. The biz claimed less than one per cent of its users would be affected, but seeing as Twitter is used by roughly 340 million people a month, you do the math. (OK, perhaps as many as 3.4 million.)

According to Twitter, the coding blunder in its webhook system required a very specific set of circumstances to trigger. If it did flare up, a person's account activity would be routed to the wrong third-party application rather than apps connected to their account. Thus, copies of direct messages and protected tweet would end up in the hands of whoever built the application that incorrectly received that information.

"It is important to note that based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source," Twitter said.

Here, in full, is what Twitter said would need to happen for the now-fixed bug to show up.

  • Two or more registered developers had active Account Activity API subscriptions configured for domains that resolved to the same public IP.
  • For active subscriptions, URL paths (after the domain) had to match exactly across those registered developers -- e.g. https://example.com/[webhooks/twitter] and https://anotherexample.com/[webhooks/ twitter ]
  • Those registered developers had activity relevant to their subscriptions occur in the same 6-minute time period (relevant because of a cache-like behavior); and
  • Those registered developers’ subscribers’ activities originated from the same backend server from within Twitter’s datacenter.

If all those circumstances were met, the wrong developer would have been able to see subscribers' activities – including DMs and protected tweets – for up to two weeks or, more likely, until no activity occurred for a six minute period.

Broken chain graphic

Your Twitter app stopped working? Here's why

READ MORE

Twitter is notifying all developers and users who would have potentially been exposed, though it claims it has yet to find anyone actually exposed.

"Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review," Twitter said in its statement.

"Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted." ®




Biting the hand that feeds IT © 1998–2018