Details for developers on Account Activity API bug

We recently published a notice about a bug related to our Account Activity API that could have resulted in data being delivered to the wrong registered developer. As part of our ongoing investigation, we have already emailed all developers who may have been impacted, and want to provide some additional details to potentially affected developers here. So far, our investigations have confirmed only one set of technical circumstances where this issue could have occurred.

For context: Based on the way the Account Activity API works, the issue itself would have involved data being sent by Twitter to the wrong registered developer’s webhook URL. This API sends data to registered developers who use the Account Activity API based on their active ‘subscriptions.’

We have validated that this bug might have occurred when all of the following technical circumstances were true during the relevant time period for this issue:

• Two or more registered developers had active Account Activity API subscriptions configured for domains that resolved to the same public IP;
• For active subscriptions, URL paths (after the domain) had to match exactly across those registered developers -- e.g. https://example.com/[webhooks/twitter] and https://anotherexample.com/[webhooks/ twitter ];
• Those registered developers had activity relevant to their subscriptions occur in the same 6-minute time period (relevant because of a cache-like behavior); and
  
• Those registered developers’ subscribers’ activities originated from the same backend server from within Twitter’s datacenter
  

Under those circumstances, if the bug occurred, the issue (transmission of activities to the wrong webhook URL) could have persisted until one of the following conditions were met:

• For up to two weeks, OR
• Until no relevant activity occurred for 6 minutes, OR
• Until the IP address of the developer whose data was being misdelivered changed

Our team has been working diligently with our most active enterprise data customers and partners who have access to this API to evaluate if they were impacted. Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review. Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted.

If you are a developer who used the Account Activity API during the relevant time period for this issue (i.e., between the date you had access to the AAAPI and Sept. 10, 2018), we hope the above information is useful in assessing whether this issue may have impacted your services. Our investigation into this issue is ongoing. We will provide any significant additional technical updates if we have them.