Earlier today, Twitter has sent a message to a large number of users to inform them of an API bug. According to the company, on September 10, he identified a bug that read direct messages and accounts protected by "Twitter developers not allowed to receive".

Twitter went into more detail about the bug on its developer blog, explaining that it could have allowed to send data to the bad developer's webhook URL (mechanism used by some Twitter apps for recover the data). To do this, two or more registered developers had to share API subscriptions linked to the same public IP address, the URL paths had to match exactly between those addresses and the information sent to the developers had to come from the same server in the center of Twitter data.

Since all of these conditions had to be true (at the same time) for the bug to occur, it seems unlikely that any malicious developers would benefit. Twitter claims to have found no evidence of such behavior up to now, but the company is still under investigation.