Some Twitter users received an alert on Friday warning that a bug “may have” allowed their direct messages and protected tweets to be viewed by developers who weren’t authorized to see them. But the conditions needed for that to happen seem so far-fetched, it’s unlikely any users at all were actually affected.
There’s a possibility that the bug, introduced in May 2017, impacted users who’ve interacted with businesses via Twitter, such as anyone who’s exchanged direct messages with a customer service agent.
Specifically, the bug affected developers with access to Twitter’s Account Activity API (AAAPI), an interface used by premium- and enterprise-level developers that grants access to a wide range of real-time activities. These include the ability to create third-party apps that can follow, mute, or block users, or send and receive direct messages.
A typical use of the AAAPI would be creating tools that allow customer service agents to interact with users who complain on Twitter about a product or brand. Tweet that you’re having problems with an Adobe product, for instance, and you’re likely to receive a tweet back from a customer service agent. If your DMs are open or you follow their account, they’ll direct message you instead.
But unlike users, the brand’s representative probably isn’t using Twitter’s website or app to communicate. Instead, they likely using a special interface designed and sold by a third-party developer. They may even just be a chatbot, another common use of the AAAPI by developers.
In regards to the bug, some of the private exchanges between users and companies may have been shared with the wrong people, i.e., other AAAPI developers. Users with protected tweets that interacted with business online may also have also had their tweets passed along to the wrong developer.
For any of this to happen, however, Twitter notes that a “complex series of technical circumstances” would’ve had to occur simultaneously. And they’re right. The conditions described by the company make the likelihood of it happening often, at least, sound pretty incredible.
First, the bug requires that both the authorized and unauthorized recipient have AAAPI subscriptions for domains that resolve to the same public IP. Already, that would narrow down the number of developers who might receive unauthorized access significantly. One way this might happen is if a company had multiple developers subscribed to the API for, say, work on different products.
Second, the domains would also have to share URL paths—the part of the URL that comes after the .com or .org, another criterion further narrowing considerably the number of developers presumably affected.
The two developers would also both have to be actively using the AAAPI within the same six-minute period—the least rare of the described conditions. A chatbot working for a major company, like Comcast or McDonalds, is probably responding to hundreds, if not thousands, of complaining Twitter users every day.
Oh, and to top it off, the activity generated by the two developers would have to “originate from the same backend server” at Twitter’s data center.
At th time of writing, it isn’t clear if Twitter knows which developers, or how many of them, somehow, by sheer coincidence, fit this complex set of criteria. It would only say that less than 1 percent of users may have been impacted. While, sure, that does leave open the possibility that millions were affected, it seems unlikely given the preconditions described above.
It’s important to note that whether or not the developers received information they shouldn’t have, they are still bound by the same developer agreement, with the same privacy and security restrictions, as they’ve always been.
Twitter did not immediately respond to additional questions about the bug, but we’ll update if they do.