Researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.
The flaw is triggered when apps that require a PIN to complete the authorization process instead of the using the OAuth protocol. The expert discovered that some permissions such as that to access direct messages, remained hidden to the Twitter user.
Terence Eden was awarded $2,940 for reporting the bug to Twitter under the bug bounty program operated through the HackerOne platform. According to Eden, the bug resides in the way the official Twitter API handles keys and secrets that could be accessed by app developers even without the service’s authorization.
“For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do!
In short, users could be tricked into allowing access to their DMs.”
Twitter implemented some restrictions, the most important one is restricting callback addresses. After successful login, the apps will only return to a predefined URL preventing the abuse of the official Twitter keys to send the user to your app.
The problem is that there are some apps that haven’t a URL or don’t support callbacks. For these apps, Twitter has implemented an alternative authorisation mechanism, users log in, it provides a PIN, they type the PIN into their app.
In this alternative scenario, Eden discovered that apps did not show the correct OAuth details to the user, in particular, that the app was not able to access user direct messages.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.