The flaw affected one of the platform’s APIs between May 2017 and September 10 of this year, when it was patched “within hours”
Twitter has fixed a bug that is believed to have shared Direct Messages (DMs) and protected Tweets of some users with developers who were not authorized to access that information.
According to the company’s announcement, the flaw resided in its Account Activity API (AAAPI), which enables developers to create tools for communications with customers.
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” said the company on its support page. This could, for instance, be a DM to an airline that has authorized an AAAPI developer, according to Twitter. Such interactions in general may commonly contain sensitive customer-related information.
The bug affected the AAAPI from May 2017 and was fixed “within hours of discovering it” on September 10, said Twitter. Fewer than 1% of Twitter’s 335 million users are thought to have been affected by the bug. They’re all being informed via an in-app notice and on the platform’s website.
The company also said that it is working with its partner developers “to ensure that they are complying with their obligations to delete information they should not have”. Twitter has hundreds of such developers.
Speaking to CNBC, a Twitter spokesperson said that the company has found no evidence of misuse or exploitation of the data shared due to the bug, although that possibility cannot be ruled out. In addition, a complex set of circumstances was required to occur at the same time for the flaw to actually be triggered, according to Twitter, which continues to investigate the issue.
In May of this year, Twitter urged all of its users to change their passwords after it discovered a glitch in its systems that stored plain-text passwords in an internal log. Back then, the company also said that its own probe found no indication of breach or misuse of the data.