Up until January 17 third-party Twitter apps were able to gain access to direct messages (DMs) even if you didn’t grant them permission to do so.
Third-party apps could easily gain access to private direct messages because of a vulnerability caused by “complex code and incorrect assumptions and validations,” said Cesar Cerrudo, a security researcher at IOActive.
Cerrudo noticed the security hole while analyzing a web application that allowed users to sign into Twitter. When he signed in, Twitter warned him the app would read his tweets, see who he followed, follow new people, post new tweets, and update his profile.
However, there was no mention of accessing direct message. Yet, Cerrudo discovered the app was displaying all his private messages.
“The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its ‘Sign in with Twitter’ web page,” the researcher said.
“Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorization, and Twitter did not display any messages about this.”
He wasn’t able to determine the root cause, so he reported the vulnerability to Twitter. The social media company rushed to address it, saying there was a combination of complex code and incorrect assumptions and validations issue for the bug.
While it’s a good thing Twitter addressed the issue, Cerrudo said Twitter should have issued a warning or an advisory to let users know about the fix. That’s because third-party apps that already have permissions might still be able to access direct messages, unless they end up revoked.
Cerrudo advises users to check out the third-party application permissions and revoke all the apps that have access to direct messages without authorization.