Twitter bugs expose user data and direct messages

Two separate issues may have led to the exposure of private Twitter data, one of which the company speculated was exploited by nation-state hackers.

The first of two Twitter bugs was discovered and disclosed through the company's HackerOne bug bounty platform and is reminiscent of an issue that Twitter faced earlier this year. The bug, found by Terence Eden, a security researcher based in Oxford, England, allowed unauthorized apps to access Twitter direct messages.

"Many years ago the official Twitter API keys were leaked. This means that app authors who can't get their app approved by Twitter are still able to access the Twitter API," Eden wrote in a blog post. "For some reason, Twitter's OAuth screen says that these apps do not have access to direct messages. But they do! In short, users could be tricked into allowing access to their DMs."

Twitter assured Eden the issue was fixed on Dec. 6.

The second of the two Twitter bugs disclosed this week related to a support form used to contact Twitter about account issues. Twitter discovered the issue and fixed it on Nov. 16. According to the company, the bug exposed the country code of user phone numbers and "whether or not their account had been locked by Twitter."

"We have directly informed the people we identified as being affected," Twitter wrote in the announcement. "During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors."

Tim Mackey, senior technical evangelist at Synopsys, said it's not "prudent for any organization to comment on motivations for data leakage or data breaches they've experienced."

"If there are reasons to suspect malicious intent, the proper course of action is to actively engage law enforcement and, in parallel, disclose any technical details on the method of data access, protections put in place for users and the nature of the data involved," he said. "Such a model then allows for any users to best protect themselves from damage arising from the data involved. I've found the old adage of 'just the facts' is the most effective solution when it comes security disclosures. Of course, if law enforcement confirms malicious intent, it does benefit the organization's users to know the nature of the attack, as that would also fall under the umbrella of users needing to minimize the damage to themselves."