Twitter recently addressed a security vulnerability that resulted in certain applications not correctly showing all of the permissions they had.
Discovered by Terence Eden, the vulnerability only affected a select set of applications authenticated using a PIN or non-intended OAuth flow. In such cases, the permission dialog would not provide users with full details on what the app could access.
The researcher discovered that the “OAuth screen can be tricked into saying that an app cannot read Direct Messages,” although the application actually had access to those messages.
The root cause of the issue, Eden says, is that developers can create software using the official Twitter API keys that were leaked online several years ago. These keys provide developers with access to Twitter API even if Twitter hasn’t approved the applications, the researcher claims.
Moreover, he reveals that “Twitter’s OAuth screen says that these apps do not have access to Direct Messages,” although these applications do have such permissions. The issue, Eden said, can be reproduced using the iPhone keys and Google TV keys.
The main issue here, the researcher says, is that, based on what’s displayed on the OAuth screen, the user might authorized these apps on their device knowing that they do not have access to their DMs, which may contain sensitive information.
Through the use of the leaked API keys, however, any third-party app would be able to access said private information, which represents a breach of trust, Eden points out.
The researcher disclosed the findings to Twitter’s security team via HackerOne in early November. Twitter revoked the Google TV API keys soon after, and also decided to launch a “comprehensive review of application permissions,” to find similar issues.
Last week, before the vulnerability was made public, Twitter’s security team told the researcher that the Android and iOS applications do have access to DMs by default, although they do not inform the user on that. According to them, no information breach resulted from the bug.
“We do not believe anyone was misled by the permissions that these applications had or that their data was unintentionally accessed by the Twitter for iPhone or Twitter for Google TV applications as those applications use other authentication flows. To our knowledge, there was not a breach of anyone’s information due to this issue. There are no actions people need to take at this time,” the team said.
In September, Twitter patched a security vulnerability related to the Account Activity API (AAAPI), which may have caused direct messages to be sent to third-party developers other than the ones users interacted with.
Related: Bug Exposed Direct Messages of Millions of Twitter Users
Related: Twitter Urges Password Changes After Exposing ‘Unmasked’ Credentials
More from Ionut Arghire
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
- New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries
- CISA Seeks Public Opinion on Cloud Application Security Guidance
Latest News
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
