You May Have Unknowingly Granted Apps Access To Your Direct Messages

Do you use Twitter to sign in to other applications? If so, you may have unknowingly granted those apps access to your direct messages.

You can read all of the details in the IOActive Blog here (it’s kind of long), but here’s a quick summary of what happened:

This researcher was testing a Twitter app and realized that the app should NOT have had access to his direct messages (the app didn’t sign up for this access and he didn’t authorize it) but it DID have access.

After logging in to the application, I suddenly saw something strange. The application was displaying all of my Twitter direct messages. This was a huge and scary surprise. I wondered how this was possible. How had the application bypassed Twitter’s security restrictions? I needed to know the answer.

My surprise didn’t end here. I went to to check the application settings. The page said “Permissions: read, write, and direct messages”. I couldn’t understand how this was possible, since I had never authorized the application to access my “private” direct messages. I realized that this was a huge security hole.

Did he mistakenly grant access? Nope. The screens requesting varying levels of access look different.

After some investigating, he figured out what was happening: “[W]hen I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages.”

Twitter apparently fixed the issue, but didn’t publish a notice about it.

Why should you care? 

So check out your connected apps and see which ones have access to your direct messages (it lists the access each has under the app name) and revoke any that shouldn’t have access.

And you may want to revoke access and reinstall existing apps regardless, particularly if you use Twitter as your social sign-in method and aren’t always logged on to Twitter when you do this (like he did when he replicated the issue above).

Find anything interesting in YOUR connected apps?

(image from Shutterstock)