Twitter vulnerability sent Direct Messages to Developers

Twitter on Friday said that they fixed a bug in their software applications to peruse clients’ private direct messages or private tweets.


The bug kept running from May 2017 until when it was found on September 10 – after which Twitter fixed the glitch to keep information from being unexpectedly sent to the erroneous developer. Twitter said that under 1 percent of its more than 335 million month to month active Twitter clients were affected.

The bug existed in Twitter’s Account Activity API (AAAPI), which enables enrolled programmers to make other utilities to interface with clients on Twitter.

A post on twitter said that –

“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer”. “In some cases, this may have included certain direct messages or protected tweets, for example, a direct message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”

The bug may have happened when at least two enrolled engineers had AAAPI memberships designed for spaces that set out to a similar public IP; or, on the off chance that they had movement pertinent to their membership event in a similar half year era and if their supporters’ actions started from the same back-end server in Twitter’s server store. Likewise, for active memberships, URL needed to coordinate precisely over those enlisted engineers for the issue to be activated.

A Twitter representative disclosed to Threatpost the organization is certain that the information was not used in the wrong way, and the spokesperson stated that – “Any party that may have received unintended information was a developer registered through our developer program, which we have significantly expanded in recent months to prevent abuse and misuse of data.”

Some of the influenced users posted tweets to know more about this issue.
John Opdenakker tweeted –

And another security researcher posted a tweet to know which message of hers is influenced and who have received it.

Twitter said its examination is as yet continuous, however, any affected clients were informed through an in-application note.

Prior this year, Twitter in May said a vulnerability caused account passwords to be saved in plain text on a log, sending clients over the system scrambling to change their passwords. The social media firms said that it found and settled the vulnerability and that its examination demonstrated no sign of a break or abuse.

The two happenings come as Twitter, among others like Facebook, the battle to reinforce information security assurance endeavors.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our Google+ Pages.

Leave a Reply

Your email address will not be published. Required fields are marked *