Article Lead Image

A new Twitter bug lets apps access your DMs

Direct messages are supposed to be private, but thanks to a Twitter bug, some apps can bust open your account and start accessing them anyway.


Kris Holt

Internet Culture

Direct messages are supposed to be private, but thanks to a Twitter bug, some apps can bust open your account and start accessing them anyway.

Cesar Cerrudo, a security researcher, discovered a bug that allowed third-party applications to access his DMs. Unfortunately, he didn’t give the name of the app and blacked out a screenshot proving his privacy was violated. 

Cerrudo, chief technical officer for IOActive, wrote that he is usually reluctant to sign in to applications using his Twitter or Facebook accounts due to “security implications,” but needed to in order to test the software.

The permission screen for the app’s Twitter connectivity stated that if Cerrudo connected his account, the app would allow him to read tweets from his timeline, see who he followed and follow new people, update his profile, and post tweets. The app did not, however, ask for permission to access Cerrudo’s DMs or the ability to view his password.

Cerrudo told the Daily Dot that the app was a client. It mimics the main functions of Twitter: letting you view your timeline, follow others, and post tweets. He added that the app is currently in development and is not available to the public yet.

Cerrudo felt the app was safe to use, so he signed into it using Twitter. He then noticed that the app had the option to access to access and display DMs, yet the feature did not work as the app did not have permission to access that data.

As Cerrudo continued testing the app by logging in and out of both the app and Twitter, he soon noticed that the app was suddenly showing his DMs—”a huge and scary surprise.” 

Through the application settings page on his Twitter account, Cerrudo spotted that the app’s permissions included “read, write, and direct messages,” although he had never given it permission to access DMs.

Cerrudo determined that the app gained DM access when he signed in with Twitter for a second or third time. He wrote:

[W]hen I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session—you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorization, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages.

He added that he did not have time to unearth the root cause of the issue, and so reported the flaw to Twitter. The company’s security team fixed the bug within 24 hours, according to Cerrudo, while they noted that the issue was due to “complex code and incorrect assumptions and validations.”

Twitter did not respond to a request for comment by time of publication.

While the bug has been patched, Twitter has not publicly disclosed it to users. “I don’t think all issues should be disclosed just important ones specially when users privacy is affected,” suggested Cerrudo, adding that even when it doesn’t appear an issue was not widely exploited, companies which have fixed a security bug “could disclose the issue anyways and say that everything is fine that no users were at risk.”

Cerrudo noted no applications should be able to access DMs in this way from now on, yet the app in question still had access to his DMs until he revoked its access to his account. He also claimed Twitter will add his name to the list of white-hat hackers who’ve helped keep Twitter safe.

With that in mind, it is perhaps worth checking your application settings from your Twitter account and revoking access to those that have more access than you authorized.

And be careful when using your Twitter or Facebook account to sign into another service. The third-party app may not be secure and, as Cerrudo noted, “you could end up with your personal information compromised.”

Photo by Matthew Fang/Flickr

The Daily Dot