Twitter bug shared Direct Messages for more than a year

Twitter has admitted to an embarrassing mistake which could have sent users' Direct Messages to other developers, with the bug remaining undetected for sixteen months. The short-message social network began notifying potentially affected users today, warning them that because of a fault in its platform, tweets they'd thought private or protected could've been shared with other users.

"The bug ran from May 2017 and within hours of discovering it on September 10, 2018, we shipped a fix to prevent data from being unintentionally sent to the incorrect developer," Twitter said today.

At the heart of the blunder is the Account Activity API, or AAAPI, which Twitter offers to its registered developers. It's billed as a way for businesses like airlines and customer support agencies to improve their reactiveness, as well as better monitor customers. In this case, however, it could have led to messages being inadvertently shared.

For example, if you used Twitter to interact with an account or business that was using the AAAPI, some of those interactions could have been "unintentionally sent to another registered developer." That could have included "certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer," Twitter admits.

Twitter insists that the fault affected less than 1-percent of its users. It also maintains that "a complex series of technical circumstances had to occur at the same time" in order for a private message to be unwittingly shared in this way.

In a technical blog discussing the issue, it lays out the exact circumstances which would have been required. That includes two or more registered AAAPI developers with subscriptions configured for domains resolving to the same public IP, with active subscriptions that had matching URL paths, and that the activity of each fell within the same six minutes, among other things. Even then, at most it would've lasted for two weeks.

"Our team has been working diligently with our most active enterprise data customers and partners who have access to this API to evaluate if they were impacted," Twitter says. "Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review. Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted."

The company points out that its registered developers agree to abide by Twitter's security and privacy policy, which means – among other things – that they're required to delete information they should not have. It will also be notifying all affected users, both through the Twitter app and the web-based interface.

On the face of it, it seems likely that few people will have actually had their direct messages and protected tweets inadvertently shared in this manner. It's also worth noting that this doesn't affect all of your Direct Messages, only those specifically exchanged with companies using the AAAPI. Nonetheless, this is unlikely to reflect well on Twitter overall, even if the company is being upfront about the implications now.