Data Loss Prevention (DLP) , Governance & Risk Management , Privacy

Twitter Bug Sent Direct Messages to External Developers

More Than 3 Million Users' DMs Leaked to Third Parties
Twitter Bug Sent Direct Messages to External Developers

Heads-up to any Twitter user who sent a rant-filled message to an airline or other organization following poor customer service: The message may have not only gone to the intended recipient.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Twitter is warning users that it has now fixed a flaw that sometimes sent direct messages meant for one account to other external developers. It says the bug existed for 16 months - from May 2017 until it was fixed on Sept. 10.

The flaw affected less than 1 percent of users, Twitters says. For the second quarter of this year, Twitter reported in its financial results that it had 335 million active monthly users, which would mean that the count of affected users would number more than 3 million.

"We're very sorry this happened," Twitter says in a statement. "We recognize and appreciate the trust you place in us and are committed to earning that trust every day."

Notifications Under Way

Twitter says it is notifying those whose messages went to unintended recipients through an in-app notice and also via It is also contacting developers who may have received the messages.

"We have contacted our developer partners and are working with them to ensure that they are complying with their obligations to delete information they should not have," Twitter says.

"We're very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."

Last November, Twitter began tightening its rules for how developers can access its APIs, which allow access to a variety of platform data.

Social networking sites have sought to revamp their rules in light of Facebook's problems with Cambridge Analytica, which improperly acquired data on 87 million Facebook users (see Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).

Facebook has subsequently been auditing apps that may have collected user data prior to 2015. In that year, the site tightened its rules about what personal information apps were allowed to collect and has continued its efforts to make its users' data more secure. (see Facebook's Security and Privacy Overhaul Comes at a Price).

Twitter, meanwhile, now requires any developer who wants access to its APIs to register for a developer account. That includes developers who may have previously been able to access APIs without an account.

As part of registration, developers must now describe how they will use the APIs, which Twitter says it reviews to ensure that they will comply with its policies.

Twitter says that over a three-month period earlier this year, it removed 143,000 apps that violated its policies.

Complex Bug

In the case of the DM-spilling flaw, Twitter says a "complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source."

The bug was contained within its Account Activity API, which enables real-time monitoring of an account. It's one of Twitter's paid services that organizations can use to run services such as customer service accounts and chatbots that have to deal with a high volume of tweets.

Twitter says complex conditions were required to trigger the bug that led to users' direct messages being sent to external developers.

Essentially, the bug would cause activity associated with an account monitored by the API to be sent to the wrong registered developer's webhook URL, Twitter says. The URL paths after the domain had to match exactly, it says, offering "[webhooks/twitter]" as an example.

There was also a timing element to the bug. Namely, activity had to occur on monitored accounts within a six-minute period due to cache-like behavior, Twitter says. Also, the registered developers' subscribers' activities had to have originated from the same backend server from within Twitter's data center.

The misdirected content would continue for up to either two weeks, until no relevant activity occurred for six minutes or "until the IP address of the developer whose data was being misdelivered changed."

Investigation Continues

Twitter says its postmortem first focused on its most active enterprise customers and partners that had access to the API, and it says its investigation is continuing.

"We can confirm that the bug did not affect any of the partners or customers with whom we have completed our review," it says. "Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.