[BreachExchange] Twitter API Flaw Exposed Users Messages to Wrong Developers For Over a Year
Destry Winant
destry at riskbasedsecurity.com
Tue Sep 25 08:25:26 EDT 2018
https://thehackernews.com/2018/09/twitter-direct-message-api.html
The security and privacy issues with APIs and third-party app
developers are something that's not just Facebook is dealing with.
A bug in Twitter's API inadvertently exposed some users' direct
messages (DMs) and protected tweets to unauthorized third-party app
developers who weren't supposed to get them, Twitter disclosed in its
Developer Blog on Friday.
What Happened?
Twitter found a bug in its Account Activity API (AAAPI), which is used
by registered developers to build tools to support business
communications with their customers, and the bug could have exposed
those customers' interactions.
The Twitter AAAPI bug was present for more than a year—from May 2017
until September 10—when the microblogging platform discovered the
issue and patched it "within hours of discovering it."
In other words, the bug was active on the platform for almost 16 months.
"If you interacted with an account or business on Twitter that relied
on a developer using the AAAPI to provide their services, the bug may
have caused some of these interactions to be unintentionally sent to
another registered developer," Twitter explains.
How Did This Happen?
The bug resides in the way Twitter's AAAPI works. If a user interacts
with an account or business on Twitter that used the AAAPI, the bug
"unintentionally" sends one or more of their DMs and protected tweets
to the wrong developers instead of the authorized ones.
"Based on our initial analysis, a complex series of technical
circumstances had to occur at the same time for this bug to have
resulted in account information definitively being shared with the
wrong source," Twitter explains.
"In some cases this may have included certain Direct Messages or
protected Tweets, for example a Direct Message with an airline that
had authorized an AAAPI developer. Similarly, if your business
authorized a developer using the AAAPI to access your account, the bug
may have impacted your activity data in error."
How Many Twitter Users Are Affected?
Although Twitter says it has not yet discovered any evidence that a
wrong developer received DMs or protected tweets, the company also
"can't conclusively confirm it didn't happen."
So, it is notifying potentially impacted people, which, according to
Twitter, are less than 1 percent. Since Twitter now has over 336
million monthly active users, the bug could potentially affect more
than 3 million people.
"Any party that may have received unintended information was a
developer registered through our developer program, which we have
significantly expanded in recent months to prevent abuse and misuse of
data," the company says.
It should be noted that the bug only involves users' DMs and
interactions with companies that use Twitter "for things like customer
service"—not all your DMs.
How Is Twitter Handling The Issue?
Twitter says the company has already contacted developers who received
the unintended data and is "working with them to ensure that they are
complying with their obligations to delete information they should not
have."
Twitter says its investigation into the bug is still "ongoing," and
assures its users that at the current moment, the company has "no
reason to believe that any data sent to unauthorized developers was
misused."
"We're very sorry this happened," Twitter says. "We recognize and
appreciate the trust you place in us, and are committed to earning
that trust every day."
What Can Affected Users Do?
Nothing. Yes, you really can't do anything about your data which has
already been gone into wrong hands.
Just like in case of Cambridge Analytica scandal, wherein Facebook
requested the developer to delete the data citing its privacy policy,
but we all know what happened, Twitter can only ensure that the
third-party developers comply with their obligations to delete your
information, but can not confirm.
More information about the BreachExchange
mailing list