A Twitter API bug potentially granted developer access to private messages and locked accounts, according to a disclosure by the microblog…
Late last week, Twitter sent a message to a large number of its users, warning them about an API bug. The social site first identified the problem on September 10th. It potentially gave developers access to read direct messages and look at private accounts. What’s more the access was mistakenly given to “Twitter developers who were not authorized to receive them.”
Twitter API Bug gave Potential Developer Access to Direct Messages and Private Accounts
The Twitter API bug, although, is very difficult to exploit. This is due to the fact that two or more registered developers had to not only share the information but also, match the data. In other words, it’s complex enough that it is very doubtful anything malicious happened.
“Based on the way the Account Activity API works, the issue itself would have involved data being sent by Twitter to the wrong registered developer’s webhook URL. This API sends data to registered developers who use the Account Activity API based on their active ‘subscriptions.’”
Twitter states that it has not yet uncovered any issues but it is still performing an investigation, nonetheless.
“Our team has been working diligently with our most active enterprise data customers and partners who have access to this API to evaluate if they were impacted. Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review. Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted.”