Twitter warns developers that their private keys and account tokens may have been exposed

Twitter has emailed developers warning of a bug that may have exposed their private app keys and account tokens.

In the email, obtained by TechCrunch, the social media giant said that the private keys and tokens may have been improperly stored in the browser’s cache by mistake.

“Prior to the fix, if you used a public or shared computer to view your developer app keys and tokens on developer.twitter.com, they may have been temporarily stored in the browser’s cache on that computer,” the email read. “If someone who used the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed.”

The email said that in some cases the developer’s access token for their own Twitter account may have also been exposed.

These private keys and tokens are considered secret, just like passwords, because they can be used to interact with Twitter on behalf of the developer. Access tokens are also highly sensitive, because if stolen they can give an attacker access to a user’s account without needing their password.

Twitter said that it has not yet seen any evidence that these keys were compromised, but alerted developers out of an abundance of caution. The email said users who may have used a shared computer should regenerate their app keys and tokens.

It is not immediately known how many developers were affected by the bug or exactly when the bug was fixed. A Twitter spokesperson would not provide a figure.

In June, Twitter said that business customers, such as those who advertise on the site, may have had their private information also improperly stored in the browser’s cache.

A hacker used Twitter’s own ‘admin’ tool to spread cryptocurrency scam