[BreachExchange] Twitter bug sent user's direct messages to third-party developers

Audrey McNeil audrey at riskbasedsecurity.com
Tue Sep 25 19:14:25 EDT 2018


http://www.ehackingnews.com/2018/09/twitter-bug-sent-users-direct-messages.html

Micro-blogging site Twitter announced they have patched a bug that affected
one of its "Account Activity Application Programming Interface"  (AAAPI)
which sent user's private direct messages to third-party developers who
were not authorized to receive them.

The bug ran from May 2017 but was fixed on September 10, 2018, after the
company found it.  It is estimated that it has affected less than  1
percent of Twitter's account holders, it means that more than 3 million
people are potentially impacted.

 The company has started notifying individuals via an in-app notice and on
Twitter.com. "A bug affecting one of our APIs

On Monday, September 10, we identified a bug that may have sent one or more
of your Direct Messages or protected Tweets (if your account was protected
at the time) to Twitter developers who were not authorized to receive them.
The issue has persisted since May 2017, but we resolved it immediately upon
discovering it. Our investigation into this issue is ongoing, but presently
we have no reason to believe that any data sent to unauthorized developers
was misused. Learn more.

We regret the incident and sincerely apologize for the error. No action is
required from you. However, if you have any questions or concerns regarding
this incident, you can contact Twitter via the privacy policy inquiry page."

According to the company's initial investigation report, there is no
evidence that any data was improperly misused or exploited anywhere.

However, the investigation is still going on and they will be able to
comment on the incidence once they get a final report of investigation. The
company has also mentioned that they will review their enterprise partners.

We have no evidence to suggest that any data was improperly misused or
exploited anywhere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180925/a734084c/attachment.html>


More information about the BreachExchange mailing list