Twitter discovered an API bug that was sending DMs and protected twits to the wrong developers for 1.5 years

These last few days haven’t been exactly pleasant for Twitter and its developers team, the reason

being that the company only recently discovered an API bug that has existed since May 2017.

Here’s the announcement that was posted on their help blog:

“We recently discovered a bug in our Account Activity API (AAAPI). This API allows registered

developers to build tools to better support businesses and their communications with customers on

Twitter. If you interacted with an account or business on Twitter that relied on a developer using the

AAAPI to provide their services, the bug may have caused some of these interactions to be

unintentionally sent to another registered developer. In some cases this may have included certain

Direct Messages or protected Tweets, for example a Direct Message with an airline that had

authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to

access your account, the bug may have impacted your activity data in error.”

Twitter states that less than 1% of the platform’s users were affected. The rest are not in immediate

danger because “a complex series of technical circumstances had to occur at the same time for this

bug to have resulted in account information definitively being shared with the wrong source”,

according to their analysis.

Still, discovering a bug, that affects people’s privacy, a year and a half late is a hard hit to recover

from especially if you’re one of the handful most widely used social networking platforms in the

world. Consequently, the public outcry was massive and coming from numerous users; ZDNet has

some great examples of those.

If you’ve come so far, you should be able to tell apart the two different points of view. On the one

hand, we’ve got Twitter which is swearing up and down that there’s really no major safety issue and

that no personal data is in immediate danger.

On the other hand, Twitter users are growing warry of their account’s safety and they most of them

seem to think that the company’s defensive strategy is not going to do much for their broken trust.

Let’s see then where those two views meet. A bit of research around API bugs and how easy it is to

locate one under varying circumstances, indicates that 1.5 years is maybe a long time to not realize

you’ve got a bug running in your database. But maybe not that long when you consider that the first

and most important source that alarms developers about a bug, is the platform’s users. And given

that ‘less than 1% has been affected’ by this API bug, you can see why this issue did not gather much

attention so far.

In addition, this specific bug occurs only when four technical circumstances are met and would

persist for up to two weeks, or until no relevant activity occurred for 6 minutes, or until the IP

address of the developer whose data was being misdelivered changed. Hence, it’s hard for the bug

to occur and relatively easy to go away.

As far as the end users are concerned, they’re getting upset for all the right reasons. Their accounts

could be in danger and they have had no idea for the last one year and a half. They vast majority of

those ned users may not be sure what the technical issue is, or what are the chances that they will

be affected as well. And not being able to control the situation or understand the issue in depth, is

part of their response. But then again, an end user doesn’t have to be a developer to get a Twitter

account. One doesn’t even need to be tech savvy. So, from the users’ perspective, when an issue is

ongoing for so long and they’re only finding now, they have every right to get upset, regardless of

how serious the issue is, or how it affects them.

And that’s your middle ground right there. Well, it’s not so much in the middle, as it is more on the

users’ side, but you get the point. Twitter is ensuring its users that there’s no major impact. That’s

good news. The company is actually trying its best to fix the issue on a timely manner, while at the

same time making sure that only the minimum possible amount of developers and end users have

been affected. That’s good news too. But the customers still have the right to get upset and sensitive

about their accounts and all the personal information that those may hold. Even if they’re not being

impacted in any way. Because when you choose to use a platform, you only have to know how to

use it and to what extend its use affects you. You don’t have to know the technical nature of how

the platform works. If that was the case, then social networks would only be used by their


So, the least Twitter can do – apart from fixing the issue of course and making sure that no similar

incidents occur in the future – is educate its users and provide some more insight as to how this bug

works and how the company’s developers team can make sure that the users are not affected by it.



Published : Oct 1 2018