These last few days haven’t been exactly pleasant for Twitter and its developers team, the reason
being that the company only recently discovered an API bug that has existed since May 2017.
Here’s the announcement that was posted on their help blog:
“We recently discovered a bug in our Account Activity API (AAAPI). This API allows registered
developers to build tools to better support businesses and their communications with customers on
Twitter. If you interacted with an account or business on Twitter that relied on a developer using the
AAAPI to provide their services, the bug may have caused some of these interactions to be
unintentionally sent to another registered developer. In some cases this may have included certain
Direct Messages or protected Tweets, for example a Direct Message with an airline that had
authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to
access your account, the bug may have impacted your activity data in error.”
Twitter states that less than 1% of the platform’s users were affected. The rest are not in immediate
danger because “a complex series of technical circumstances had to occur at the same time for this
bug to have resulted in account information definitively being shared with the wrong source”,
according to their analysis.
Still, discovering a bug, that affects people’s privacy, a year and a half late is a hard hit to recover
from especially if you’re one of the handful most widely used social networking platforms in the
world. Consequently, the public outcry was massive and coming from numerous users; ZDNet has
some great examples of those.
If you’ve come so far, you should be able to tell apart the two different points of view. On the one
hand, we’ve got Twitter which is swearing up and down that there’s really no major safety issue and
that no personal data is in immediate danger.
On the other hand, Twitter users are growing warry of their account’s safety and they most of them
seem to think that the company’s defensive strategy is not going to do much for their broken trust.
Let’s see then where those two views meet. A bit of research around API bugs and how easy it is to
locate one under varying circumstances, indicates that 1.5 years is maybe a long time to not realize
you’ve got a bug running in your database. But maybe not that long when you consider that the first
and most important source that alarms developers about a bug, is the platform’s users. And given
that ‘less than 1% has been affected’ by this API bug, you can see why this issue did not gather much
attention so far.
In addition, this specific bug occurs only when four technical circumstances are met and would
persist for up to two weeks, or until no relevant activity occurred for 6 minutes, or until the IP
address of the developer whose data was being misdelivered changed. Hence, it’s hard for the bug
to occur and relatively easy to go away.
As far as the end users are concerned, they’re getting upset for all the right reasons. Their accounts
could be in danger and they have had no idea for the last one year and a half. They vast majority of
those ned users may not be sure what the technical issue is, or what are the chances that they will
be affected as well. And not being able to control the situation or understand the issue in depth, is
part of their response. But then again, an end user doesn’t have to be a developer to get a Twitter
account. One doesn’t even need to be tech savvy. So, from the users’ perspective, when an issue is
ongoing for so long and they’re only finding now, they have every right to get upset, regardless of
how serious the issue is, or how it affects them.
And that’s your middle ground right there. Well, it’s not so much in the middle, as it is more on the
users’ side, but you get the point. Twitter is ensuring its users that there’s no major impact. That’s
good news. The company is actually trying its best to fix the issue on a timely manner, while at the
same time making sure that only the minimum possible amount of developers and end users have
been affected. That’s good news too. But the customers still have the right to get upset and sensitive
about their accounts and all the personal information that those may hold. Even if they’re not being
impacted in any way. Because when you choose to use a platform, you only have to know how to
use it and to what extend its use affects you. You don’t have to know the technical nature of how
the platform works. If that was the case, then social networks would only be used by their
So, the least Twitter can do – apart from fixing the issue of course and making sure that no similar
incidents occur in the future – is educate its users and provide some more insight as to how this bug
works and how the company’s developers team can make sure that the users are not affected by it.