I read the article and thought, "well, yes, the option that needed to be enabled on the account for the attack to work describes what the API did, what is the bug?"
I found the original notice from twitter [1] easier to understand (maybe change the URL of this post?) and it does not speak about a bug. Twitter did implement a change so that the attack cannot be done anymore though.
I did not understand the fix itself, it seems the API cannot be used for its intended use anymore?
The fix was to block the botnets that were scanning millions of numbers and ban the associated accounts. Likely that includes some ongoing threat detection as well. That'll at least prevent scammers from collecting one more account name/number to attempt exploiting.
It doesn't do anything against a targeted attack against someone who has chosen to be discoverable. That's just how search/discovery is intended to work.
The intended use was for a user to submit their contact data (phone book). Twitter's API would return a list of usernames matching those numbers for the purpose of requesting/notifying/suggesting potential friends (in exchange for their* data used to build a social graph/sell). Twitter patched/updated the API which means (the API probably returns a token or key or something that doesn't reveal the username now) if someone wants to submit a list of phone numbers to get their Twitter usernames they'll have to pay Twitter[0] or use a different "exploit".
* if someone has my phone number in their phonebook and gives it to Twitter - it becomes our data.
I found the original notice from twitter [1] easier to understand (maybe change the URL of this post?) and it does not speak about a bug. Twitter did implement a change so that the attack cannot be done anymore though.
I did not understand the fix itself, it seems the API cannot be used for its intended use anymore?
[1] https://privacy.twitter.com/en/blog/2020/an-incident-impacti...