
Twitter says bug may have exposed some direct messages to third-party developers - uptown
https://techcrunch.com/2018/09/21/twitter-bug-sent-user-direct-messages-to-developers-for-over-a-year/
======
rnotaro
From:
[https://blog.twitter.com/developer/en_us/topics/tools/2018/d...](https://blog.twitter.com/developer/en_us/topics/tools/2018/details-
for-developers-on-Account-Activity-API-bug.html)

 _We have validated that this bug might have occurred when all of the
following technical circumstances were true during the relevant time period
for this issue:

🞄 Two or more registered developers had active Account Activity API
subscriptions configured for domains that resolved to the same public IP;

🞄 For active subscriptions, URL paths (after the domain) had to match exactly
across those registered developers -- e.g.
[https://example.com/[webhooks/twitter]](https://example.com/\[webhooks/twitter\])
and
[https://anotherexample.com/[webhooks/](https://anotherexample.com/\[webhooks/)
twitter ];

🞄 Those registered developers had activity relevant to their subscriptions
occur in the same 6-minute time period (relevant because of a cache-like
behavior); and

🞄 Those registered developers’ subscribers’ activities originated from the
same backend server from within Twitter’s datacenter

Under those circumstances, if the bug occurred, the issue (transmission of
activities to the wrong webhook URL) could have persisted until one of the
following conditions were met:

🞄 For up to two weeks, OR

🞄 Until no relevant activity occurred for 6 minutes, OR

🞄 Until the IP address of the developer whose data was being misdelivered
changed_

------
sixhobbits
"Twitter said in a notice that only messages sent to brand accounts — like
airlines or delivery services — may be affected"

I hope this is true. I got the message and only really use twitter DMs for
communicating with banks and airlines.

The message itself seems really poorly worded to me - I assumed that one of
their APIs didn't check permissions and included all DMs and protected tweets
in its output. "one or more" makes me assume "all" and "may" usually means
"definitely has" in these kind of messages so it would have been great if they
had included details about potential mitigating factors.

~~~
mcdowell28
Very personal data is sent to brand accounts by some users (to get support,
etc), so I don't think this is really good news.

~~~
QuinnyPig
Is it? I've sent support case numbers, and my email address, but never
anything like credit card numbers, SSNs, etc.

I'm not trying to downplay this, but I'm also not sending United Airlines my
innermost secrets here...

~~~
Insanity
A lot of people whom are not tech savvy are also not so privacy aware perhaps.

I'm going out on a limb here and say the average hackernews user is not the
average twitter user :)

~~~
uptown
Hence the existence of the now abandoned @NeedADebitCard user.

[http://twitter.com/NeedADebitCard](http://twitter.com/NeedADebitCard)

------
uptown
"The company said that the bug affected less than 1 percent of users on
Twitter. The company had 335 million users as of its latest earnings release."

So the bug affected roughly 3.3 million Twitter accounts. And it also affected
everyone who may be impacted by the contents of the messages which were not
protected, whether you're a Twitter user or not, which could be many millions
more.

~~~
JCSato
"Less than 1" != 1. The bug affected roughly 3.3 million _at most_. It is
annoying that they don't give more precise number, but I doubt most people
would care.

------
uptown
Here's Twitter's official statement: [https://help.twitter.com/en/account-
activity-api](https://help.twitter.com/en/account-activity-api)

------
morpheuskafka
If it's not end to end encrypted via a free software, audited client, you
should be operating under the assumption that it is not being held in
confidence.

In this day and age, you shouldn't settle for anything less.

~~~
smt88
That means I should assume 100% of my emails are not confidential, which is an
impossible situation for most people with jobs and non-technical relatives.

~~~
inawarminister
Wasn't that why PGP got invented? Of course, it's much too onerous to the
typical techie, nevermind non-technical relatives and friends...

------
CryoLogic
The worst one was at the bottom, who cares about DM -

"Twitter also said that earlier this year there was a bug where log files
where created with user passwords in plaintext. Twitter urges users to change
their passwords"

I mean, what type of company with over a billion dollars in VC capital stores
passwords in plaintext?

~~~
guessmyname
They explained the bug here:

> _May 3, 2018_

> _Due to a bug, passwords were written to an internal log before completing_

> _the hashing process. We found this error ourselves, removed the passwords,_

> _and are implementing plans to prevent this bug from happening again._

> —
> [https://blog.twitter.com/official/en_us/topics/company/2018/...](https://blog.twitter.com/official/en_us/topics/company/2018/keeping-
> your-account-secure.html)

------
shady-lady
> Twitter said that a “bug” sent user’s private direct messages to third-party
> developers “who were not authorized to receive them.”

user's -> users'

__plural__

------
mcdowell28
Title should explicitly say "THIRD PARTY". I was thinking of Twitter
employees.

Also:

>a “bug” sent user’s private direct messages to third-party developers “who
were not authorized to receive them.”

But:

>it’s “highly unlikely” that any communication was sent to the incorrect
developers at all

Which one is it?

~~~
sctb
We reverted the submitted title ”Twitter bug sent user direct messages to
developers for over a year” to the original.

~~~
uptown
The article was submitted with a title matching the TechCrunch title at the
time of submission. TechCrunch changed their title after it was submitted to
Hacker News.

