(LiveHacking.Com) – There are lots of web sites that offer sign in via Twitter or offer the ability to interact with Twitter on your behalf. When such third party apps require access to Twitter, you need to explicitly grant permission via Twitter itself. Normally such web sites don’t have access to your direct message but rather are limited to accessing what is already public (i.e. your tweets). However a bug was recently discovered that allowed third party web apps to access a user’s direct messages without the user’s knowledge or permission.
Cesar Cerrudo of IOActive Labs Research, has detailed how he discovered the unauthorized access in a blog post. While testing a web application that had an option to sign into Twitter, Cesar discovered that the web app had been secretly granted permission to access his direct messages. It appears that this happened when he signed in with Twitter for a second or third time. The first go around the app only had access to his public data. Later, however, when he signed in again, via Twitter, the app had somehow obtained access to his direct messages.
“My surprise didn’t end here. I went to https://twitter.com/settings/applications to check the application settings. The page said ‘Permissions: read, write, and direct messages’. I couldn’t understand how this was possible, since I had never authorized the application to access my ‘private’ direct messages. I realized that this was a huge security hole.”
Cerrudo reported the vulnerability to Twitter. Its security team quickly resolved the issue and a fix was up within 24 hours. The only unknown at the moment is for how long the bug exposed user’s private messages. The vulnerability was fixed on January 17, 2013, without a security advisory from Twitter.
It is worth periodically checking the https://twitter.com/settings/applications page to verify what apps are allowed to do with your Twitter account.