June 14, 2021

Twitter flaw allowed third party apps to access direct messages

twitter-bird-white-on-blue(LiveHacking.Com) – There are lots of web sites that offer sign in via Twitter or offer the ability to interact with Twitter on your behalf. When such third party apps require access to Twitter, you need to explicitly grant permission via Twitter itself. Normally such web sites don’t have access to your direct message but rather are limited to accessing what is already public (i.e. your tweets). However a bug was recently discovered that allowed third party web apps to access a user’s direct messages without the user’s knowledge or permission.

Cesar Cerrudo of IOActive Labs Research, has detailed how he discovered the unauthorized access in a blog post. While testing a web application that had an option to sign into Twitter, Cesar discovered that the web app had been secretly granted permission to access his direct messages. It appears that this happened when he signed in with Twitter for a second or third time. The first go around the app only had access to his public data. Later, however, when he signed in again, via Twitter, the app had somehow obtained access to his direct messages.

“My surprise didn’t end here. I went to https://twitter.com/settings/applications to check the application settings. The page said ‘Permissions: read, write, and direct messages’. I couldn’t understand how this was possible, since I had never authorized the application to access my ‘private’ direct messages. I realized that this was a huge security hole.”

Cerrudo reported the vulnerability to Twitter. Its security team quickly resolved the issue and a fix was up within 24 hours. The only unknown at the moment is for how long the bug exposed user’s private messages. The vulnerability was fixed on January 17, 2013, without a security advisory from Twitter.

It is worth periodically checking the https://twitter.com/settings/applications page to verify what apps are allowed to do with your Twitter account.

New Phishing Attack Spread by Twitter Direct Message

(LiveHacking.Com) — A new phishing attack has appeared on the Twitter network using Direct Messages (DM) to deceive people into following a link to a fake Twitter login page.

The messages sent from other Twitter users, lure victims by asking if it is them who is pictured in a photo, video or mentioned in a blog post.

Various versions of the bait messages include:

is this you in the video?
is this you in this picture?
check this out… it’s a funny blog post. you’re mentioned in it.

Clicking on the included link takes you to what appears, at first glance, to be the Twitter login page but is in fact hosted on a domain with a similar spelling to Twitter but isn’t associated with Twitter at all.

If you take the bait and enter your username and password on the page you have probably given your login credentials to hackers.

Del Harvey (@delbius) who runs Twitter’s Safety team, says that Twitter is resetting the passwords of users who it believes have been hit by the phishing attack: We’re resetting passwords for affected users; here’s the help page to check out about what you should do. https://support.twitter.com/articles/31796-my-account-has-been-compromised.

OnMouseOver XSS plagues Twitter

A new wave of Twitter attacks which make use of an XSS vulnerability in Twitter’s web client is causing trouble for users of the micro-blogging service. The injected script code is able to read the user’s Twitter cookie and authentication data. First assessments indicate that the vulnerability can be used to create a worm that spreads automatically.

Read the full story here.