The Twitter Bug That Probably Didn’t Expose Direct Messages

Some Twitter users recently received a warning that a bug “may have” allowed unauthorized developers to view their direct messages and protected tweets. However, it is unlikely that any users were affected by the conditions needed because they are far-fetched.

Introduced in May 2017, the bug impacted users who have interacted with outside businesses via Twitter, for example, anyone that direct messaged with a customer service agent. The reason is that the bug affected developers with access to Twitter’s Account Activity API (AAAPI), which is an interface used by premium- and enterprise-level developers so that they have access to a wide range of real-time activity. In these activities, developers can create third-party apps to follow, mute, or block users, or send and receive direct messages.

The AAAPI is typically a stand-in for customer service agents to interact with users that complain about their product, service or brand on Twitter. As a user, if your direct messages (DMs) are open and you follow the business account that uses the specially designed interface, then there’s a chance your private messages were shared to other AAAPI developers only, but to no one else. The likelihood of the preconditions is so low, that anyone affected is at less than 1%.

To be affected, here’s what would have had to happen:

1. Both the authorized and unauthorized recipient have AAAPI subscriptions for domains that connect to the same public IP.
2. The domains would also share the same URL paths.
3. Two developers would have to be actively using the AAAPI interface within the same six-minute period.
4. All of this activity would have to originate from the same backend server at the Twitter data center.