Twitter Gives Update on Account Activity API Bug

Twitter recently reported an Account Activity API bug. The bug may have caused data delivered to the wrong developer. Now, Twitter has updated its report based on investigations and remediation efforts. Regarding the actual bug, Twitter wrote on its developer blog:

"Based on the way the Account Activity API works, the issue itself would have involved data being sent by Twitter to the wrong registered developer’s webhook URL. This API sends data to registered developers who use the Account Activity API based on their active ‘subscriptions.’"

For the above action to take place, Twitter has indicated that all of the following technical circumstances must have occurred:

  • 2+ registered developers with active Account Activity API subscriptions configured for domains that resolved to the same public IP, AND
  • URL paths for active subscriptions matched across the registered developers, AND
  • Registered developers experienced activity relevant to their subscriptions in the same 6-minute time period, AND
  • Registered developers' subscribers' activities originated from same backend service within Twitter datacenter.

If the above circumstances occurred, and the data was transmitted to the wrong webhook URL, the bug could have continued until one of the following:

  • up to 2 weeks, OR
  • no relevant activity occurred for 6 minutes, OR
  • the IP address of the registered developer changed
Twitter is continuing to work with developers who may have been effected. From the partners Twitter has worked with so far, the bug did not appear to affect them. The relevant dates of the bug were from initial access to the Account Activity API to September 10, 2018.

Be sure to read the next Security article: GitLab API Vulnerability Exposed Confidential Information