Twitter flaw gave private message access to third-party apps, researcher says
The issue was fixed, but apps that gained this permission without proper authorization still have it
IDG News Service - Users who signed into third-party Web or mobile applications using their Twitter accounts might have given those applications access to their Twitter private "direct" messages without knowing it, according to Cesar Cerrudo, the chief technology officer of security consultancy firm IOActive.
The issue is the result of a flaw in Twitter's API (application programming interface) that led to users not being properly informed about what permissions an application will have on their accounts once granted access. Cerrudo described the problem and explained how he discovered it in a blog post published Tuesday.
Applications that allow users to log in with their Twitter accounts have to be registered with Twitter at https://dev.twitter.com/apps. During registration, their developers have to declare the level of access the applications will have on people's accounts: "read only," "read and write" or "read, write and access to direct messages."
When users attempt to log into such an application for the first time using their Twitter accounts, they get redirected to an authorization page on Twitter's website that lists the permissions requested by the particular application.
Cerrudo said that he discovered the issue while he was testing an application developed by a friend that had a "read, write and access to direct messages" permission declared with Twitter.
When he first signed into the application with his Twitter account, he was redirected to an authorization page that informed him that the application would be able to read tweets from his timeline, see which users he follows, follow new users on his behalf, update his profile information and post tweets on his behalf, he said. The page clearly noted that the application would not be able to access direct messages or the account's password.
"After viewing the displayed web page, I trusted that Twitter would not give the application access to my password and direct messages," he wrote on the blog. "I felt that my account was safe, so I signed in and played with the application."
The researcher noticed that the application had functionality to access and display direct messages, but the feature didn't appear to be working. This made sense because he hadn't been asked to grant that permission.
However, after signing in and out of the application and Twitter a few times, his direct messages started appearing in the application. When checking the list of applications authorized to interact with his Twitter account (Settings > Apps) he noticed that the application did in fact have the read, write, and access direct messages permissions.
"I realized that this was a huge security hole," Cerrudo said.
The researcher confirmed Tuesday that he successfully reproduced the behavior several times by revoking access to the app and going through the authorization process again without being warned that the app would be able to read his private messages. The issue was reported to Twitter on Jan. 16 and was addressed in less than 24 hours, he said.
- Capabilities You Need in an IP Address Management Solution A mismanaged IP space can cripple an otherwise healthy network. Take a moment to understand what you need in an enterprise-ready IPAM solution.
- Optimize IT Performance & Availability: Four Steps to Establish Effective IT Management Baselines More than ever before, your company's ability to grow hinges on IT performance and availability. Download this how-to report on establishing IT baselines,...
- Considerations for Embracing Wireless Monitoring Employee behavior is once again driving major changes for IT departments - this time it's BYOD. This report details three critical steps to...
- Fixing Intermittent Performance Problems Intermittent performance problems are among the most frustrating and time-consuming issues IT administrators face. Read this white paper and learn how technology advances...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the...
- IBM Global SaaS Study Video This video introduces the IBM Global SaaS study conducted by the Center for Applied Insights. The study reveals how companies are using Software... All Data Center White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!