A Twitter flaw allows third-party applications to access the direct messages of users who sign in to apps using Twitter accounts, reports IOActive researcher Cesar Cerrudo.
He discovered the flaw while testing a web application still under development.
Cerrudo signed into the app using his Twitter account after checking with Twitter that this would not give any third-party application access to his direct messages (DMs).
"After viewing the displayed web page, I trusted that Twitter would not give the application access to my password and direct messages. I felt that my account was safe, so I signed in and played with the application," Cerrudo wrote in a blog post.
As expected, Cerrudo found the app had the functionality to access and display Twitter DMs, but it did not work because Twitter was blocking access.
Read more about Twitter
- Twitter apologises for unnecessary hacking warnings
- Twitter users targeted by Blackhole malware
- Twitter spam used to spread rogue security software
- How to prevent Facebook hacking and Twitter hijacking
- Twitter acquires Dasient in security buying spree, Android platform focus
- PayPal UK’s Twitter account hacked
- Twitter ordered to tighten security
But after logging in and out of the app several times, Cerrudo noticed the app was displaying all his Twitter DMs. A check of the app's settings confirmed it had permission to see DMs.
Cerrudo reported the flaw to Twitter’s security team, which fixed it in less than 24 hours. However, Twitter has not alerted users that they may have been affected.
After the fix, Cerrudo found the application he had tested still had access to DMs until he revoked that permission.
Millions of people could have signed into third-party applications with Twitter before the flaw was fixed, Cerrudo pointed out.
“Some of these applications might have gained access to and might still have access to Twitter users' private DMs,” Cerrudo warned.
Cerrudo advises Twitter users to check third-party applications permissions.
“If you see an application that has access to your direct messages and you never authorised it, then revoke it immediately,” Cerrudo wrote.