Up until last week, January 17 to be more precise, third-party Twitter apps could have accessed your direct messages (DMs) even if you didn’t grant them permission to do so.
According to Cesar Cerrudo, a security researcher at IOActive, third-party apps could have easily gained access to private direct messages because of a vulnerability caused by “complex code and incorrect assumptions and validations.”
The expert noticed the security hole while analyzing a web application that allowed users to sign into Twitter. When he signed in, Twitter warned him that the app would read his tweets, see who he followed, follow new people, post new tweets, and update his profile.
However, there was no mention of accessing direct message. Yet, Cerrudo discovered that the app was displaying all his private messages.
“The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its ‘Sign in with Twitter’ web page,” the researcher explained.
“Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorization, and Twitter did not display any messages about this.”
He wasn’t able to determine the root cause, so he reported the vulnerability to Twitter. The social media company rushed to address it, blaming a complex code and incorrect assumptions and validations issue for the existence of the bug.
While it’s a good thing that Twitter has addressed the issue, Cerrudo says that Twitter should have issued a warning or an advisory to let users know about the fix. That’s because third-party apps that already have permissions might still be able to access direct messages, unless they’re revoked.
The expert advises users to check out the third-party application permissions and revoke all the apps that have access to direct messages without being authorized.