Previously, Twitter sent a message to a large number of users to inform about the API bug. According to the company, it identified a bug on September 10 that potentially allowed direct messages and protected accounts to be read by “Twitter developers who did not authorize them to receive”.
Twitter provided more information about the bug on its developer blog, explaining that this data may allow the wrong developer’s webhose URL (the mechanism to use to retrieve some of the twitter application data).
For this, more than two or more registered developers had to share the API subscription associated with the same public IP, the URL paths were exactly matching in those IPs, and the information sent to the developers was generated from the same server in Twitter’s datacenter Was there.
Since all those situations should be true for bugs (at the same time), it seems that this malicious developer was exploited. Twitter says that no evidence of such behavior has been received so far, but the company is still investigating.