Twitter bug gives third-party apps access to private data
A security researcher said Tuesday that he discovered a vulnerability in Twitter that allows applications to access users' direct messages without them knowing.
And, he said, although Twitter has now plugged the hole, users remain in the dark about how they may have been affected.
Cesar Cerrudo, the CTO of IOActive Labs, the research arm of the computer security services firm, said the vulnerability can exploit users who sign in to third-party applications using their Twitter credentials, a common authentication capability offered by many web and mobile apps.
In most cases, this authorizes the app to read a user's tweets, learn who they follow on Twitter, follow new people and post tweets. But what it does not do is enable the application access to a user's direct, or private, messages.
However, Cerrudo found an application, whose security he was testing, which does, in fact, access direct messages, even though he never gave it that right. This is thanks to a flaw in Twitter whose underlying cause the researcher was unable to determine, opting instead to quickly notify the popular microblogging site of the issue.
"After logging in to the application [I was testing], I suddenly saw something strange," he explained in a blog post. "The application was displaying all of my Twitter direct messages. This was a huge and scary surprise."
Cerrudo probed further and found that the application had "read, write and direct messages" privileges, even though he had never granted the application that approval.
"I started to investigate how this could have happened," Cerrudo wrote. "After some testing, I found that the application obtained access to my private direct messages when I signed into Twitter for a second or third time. The first time I signed into Twitter on the application, it only received read and write access permissions.
"Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without authorization, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user's Twitter direct messages."
Cerrudo said that while he didn't have time to conclude the "root cause," he alerted Twitter, which promptly fixed the flaw on Thursday, attributing the problem to "complex code and incorrect assumptions and validations."
However, Cerrudo said he wants Twitter to better explain the vulnerability by issuing a public advisory, considering it may affect millions of users who sign in to third-party web and mobile apps with their Twitter login information.
A company spokesman did not immediately respond to a request for comment from SCMagazine.com.
In the meantime, Cerrudo encouraged users to check the permissions allowed by the applications they've linked to their Twitter accounts.