News

Millions could be affected by Twitter bug, says Cesar Cerrudo

Warwick Ashford

A Twitter flaw allows third-party applications to access the direct messages of users who sign in to apps using Twitter accounts, reports IOActive researcher Cesar Cerrudo.

He discovered the flaw while testing a web application still under development.

Cerrudo signed into the app using his Twitter account after checking with Twitter that this would not give any third-party application access to his direct messages (DMs).

"After viewing the displayed web page, I trusted that Twitter would not give the application access to my password and direct messages. I felt that my account was safe, so I signed in and played with the application," Cerrudo wrote in a blog post.  

As expected, Cerrudo found the app had the functionality to access and display Twitter DMs, but it did not work because Twitter was blocking access.  

But after logging in and out of the app several times, Cerrudo noticed the app was displaying all his Twitter DMs. A check of the app's settings confirmed it had permission to see DMs.

Cerrudo reported the flaw to Twitter’s security team, which fixed it in less than 24 hours. However, Twitter has not alerted users that they may have been affected.

After the fix, Cerrudo found the application he had tested still had access to DMs until he revoked that permission.

Millions of people could have signed into third-party applications with Twitter before the flaw was fixed, Cerrudo pointed out.

“Some of these applications might have gained access to and might still have access to Twitter users' private DMs,” Cerrudo warned.

Cerrudo advises Twitter users to check third-party applications permissions.

“If you see an application that has access to your direct messages and you never authorised it, then revoke it immediately,” Cerrudo wrote.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy