Twitter flaw gave third-party apps unauthorized access to private messages, researcher says

The issue was fixed, but apps that gained this permission without proper authorization still have it

Users who signed into third-party Web or mobile applications using their Twitter accounts might have given those applications access to their Twitter private "direct" messages without knowing it, according to Cesar Cerrudo, the chief technology officer of security consultancy firm IOActive.

The issue is the result of a flaw in Twitter's API (application programming interface) that led to users not being properly informed about what permissions an application will have on their accounts once granted access. Cerrudo described the problem and explained how he discovered it in a blog post published Tuesday.

Applications that allow users to log in with their Twitter accounts have to be registered with Twitter at https://dev.twitter.com/apps. During registration, their developers have to declare the level of access the applications will have on people's accounts: "read only," "read and write" or "read, write and access to direct messages."

When users attempt to log into such an application for the first time using their Twitter accounts, they get redirected to an authorization page on Twitter's website that lists the permissions requested by the particular application.

Cerrudo said that he discovered the issue while he was testing an application developed by a friend that had a "read, write and access to direct messages" permission declared with Twitter.

When he first signed into the application with his Twitter account, he was redirected to an authorization page that informed him that the application would be able to read tweets from his timeline, see which users he follows, follow new users on his behalf, update his profile information and post tweets on his behalf, he said. The page clearly noted that the application would not be able to access direct messages or the account's password.

"After viewing the displayed web page, I trusted that Twitter would not give the application access to my password and direct messages," he wrote on the blog. "I felt that my account was safe, so I signed in and played with the application."

The researcher noticed that the application had functionality to access and display direct messages, but the feature didn't appear to be working. This made sense because he hadn't been asked to grant that permission.

However, after signing in and out of the application and Twitter a few times, his direct messages started appearing in the application. When checking the list of applications authorized to interact with his Twitter account (Settings > Apps) he noticed that the application did in fact have the read, write, and access direct messages permissions.

"I realized that this was a huge security hole," Cerrudo said.

The researcher confirmed Tuesday that he successfully reproduced the behavior several times by revoking access to the app and going through the authorization process again without being warned that the app would be able to read his private messages. The issue was reported to Twitter on Jan. 16 and was addressed in less than 24 hours, he said.

"They said the issue occurred due to complex code and incorrect assumptions and validations," Cerrudo said in the blog post.

However, Twitter's fix does not seem to apply retroactively. After Twitter fixed the issue, the app Cerrudo was testing that already had access to his account continued to display direct messages despite never receiving authorization from him to do so, he said.

Twitter users should check if any of the apps they authorized in the past also gained access to their direct messages without their knowledge, Cerrudo said. This can be done by reviewing their permissions on the Twitter Settings > Apps page.

Cerrudo decided to make this issue public because it can have serious implications and because Twitter did not issue a public advisory or announcement about it. The company should maintain a dedicated page where it can inform users about security issues, he said.

Twitter did not immediately respond to a request for comment.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags social mediaprivacyinternettwittersocial networkingonline safetyInternet-based applications and servicesAccess control and authenticationIOActive

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?