Twitter recently reported an Account Activity APITrack this API bug. The bug may have caused data delivered to the wrong developer. Now, Twitter has updated its report based on investigations and remediation efforts. Regarding the actual bug, Twitter wrote on its developer blog:
"Based on the way the Account Activity API works, the issue itself would have involved data being sent by Twitter to the wrong registered developer’s webhook URL. This API sends data to registered developers who use the Account Activity API based on their active ‘subscriptions.’"
For the above action to take place, Twitter has indicated that all of the following technical circumstances must have occurred:
- 2+ registered developers with active Account Activity API subscriptions configured for domains that resolved to the same public IP, AND
- URL paths for active subscriptions matched across the registered developers, AND
- Registered developers experienced activity relevant to their subscriptions in the same 6-minute time period, AND
- Registered developers' subscribers' activities originated from same backend service within Twitter datacenter.
If the above circumstances occurred, and the data was transmitted to the wrong webhook URL, the bug could have continued until one of the following:
- up to 2 weeks, OR
- no relevant activity occurred for 6 minutes, OR
- the IP address of the registered developer changed