Twitter announced that it has created and implemented a patch for a flaw in its Account Activity API (AAAPI). In their post, Twitter states the following about this Account Activity API flaw:
We recently discovered a bug in our Account Activity API (AAAPI). This API allows registered developers to build tools to better support businesses and their communications with customers on Twitter. If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer. In some cases this may have included certain Direct Messages or protected Tweets… Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.
While the company asserts that the Twitter AAAPI flaw affects under 1 percent of user accounts on the social media platform, the concerning aspect is that this flaw existed from May 2017 until its discovery in September of this year. The company states that nothing sensitive was compromised due to this bug, however, as Threatpost reports, the affected developers are not exactly buying this excuse. Numerous individuals, including Katie Moussouris of Luta Security, voiced their concern that messages that were misdirected can put their company’s security at risk.
In a tweet, Moussouris stated the following:
I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised?
The company is currently investigating the Account Activity API flaw incident as of the publishing of this article, but even the more casual onlooker can see that they dropped the ball here. In a world where social media is now embedded in the communication methods we use; it is imperative that the companies who facilitate this communication up their efforts to protect their users’ privacy.
Featured image: Flickr / Peter Petrus