Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A bug in Twitter Account Activity API exposed users messages to wrong developers

An issue in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to wrong developers. A bug in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers. “We recently published a notice about a bug related to our Account Activity API that could have […]

Saudi Arabian Government Twitter

A user checks a Twitter feed on a smartphone in this arranged photograph taken in London, U.K., on Friday, Oct. 4, 2013. Twitter Inc.’s initial public offering documents suggested a valuation of $12.8 billion for the microblogging service, underscoring the seven-year rise of a still unprofitable company that has helped revolutionize how people share information. […]

An issue in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to wrong developers.

A bug in Twitter Account Activity API has exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers.

“We recently published a notice about a bug related to our Account Activity API that could have resulted in data being delivered to the wrong registered developer.” reads a security advisory published by Twitter.

“As part of our ongoing investigation, we have already emailed all developers who may have been impacted, and want to provide some additional details to potentially affected developers here.”

The Account Activity API (AAAPI) allows registered developers to build applications that could manages the full set of activities related to an Twitter account, including Tweets, DM

The bug in the Twitter AAAPI was introduced in May 2017, it was discovered in September 10 and patched”within hours of discovering it.” The problem only caused the exposure of users’ DMs and interactions with companies that use Twitter “for things like customer service.”

“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer.” states Twitter.

Twitter Account Activity API bug

Experts from Twitter confirmed that if a user interacts with an account or business on Twitter that used the AAAPI, the issue causes the unintentional sharing of one or more of their DMs and protected tweets to the wrong source.

“In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer.” continues Twitter.

“It is important to note that based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong sourc” 

The company is notifying potentially affected users, according to Twitter less than 1 percent of the users have been affected (more than 3 million people).

Twitter has already contacted developers who received the unintended data and is “working with them to ensure that they are complying with their obligations to delete information they should not have.”

The company is still investigating the issue.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Twitter Account Activity API, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]