Third party apps that use Twitter accounts for authentication could have accessed private direct messages without usersâ€™ knowledge. The flaw in Twitterâ€™s API was discovered by IOActiveâ€™s CTO, Cesar Cerrudo and was fixed by Twitter following its report.
The bug was discovered during the registration process in which developers select the level of access apps have on user accounts. Features such as â€œread only”, “read and write” or “read, write and access to direct messages” can be granted to apps, and users get a notification when the app is first started.
“After viewing the displayed web page, I trusted that Twitter would not give the application access to my password and direct messages,” Cerrudo said on his blog. “I felt that my account was safe, so I signed in and played with the application.”
Although the app Cerrudo tested did require access to read private direct messages, the feature did not work at first. After signing in and out several times, the application was able to fetch his private direct messages due to â€œa huge security hole.â€
â€œThey said the issue occurred due to complex code and incorrect assumptions and validations,” Cerrudo said in the blog post.
Twitter fixed the breach and, although future apps will be prevented from accessing private direct messages, apps already authorized will still perform this action. By checking the Apps page in the Twitter Settings menu to see which apps have requested access to private direct messages, users will know which apps still have the permission.