Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Bug Gives Twitter Apps More Permissions Than Shown

Twitter recently addressed a security vulnerability that resulted in certain applications not correctly showing all of the permissions they had. 

Twitter recently addressed a security vulnerability that resulted in certain applications not correctly showing all of the permissions they had. 

Discovered by Terence Eden, the vulnerability only affected a select set of applications authenticated using a PIN or non-intended OAuth flow. In such cases, the permission dialog would not provide users with full details on what the app could access. 

The researcher discovered that the “OAuth screen can be tricked into saying that an app cannot read Direct Messages,” although the application actually had access to those messages. 

The root cause of the issue, Eden says, is that developers can create software using the official Twitter API keys that were leaked online several years ago. These keys provide developers with access to Twitter API even if Twitter hasn’t approved the applications, the researcher claims

Moreover, he reveals that “Twitter’s OAuth screen says that these apps do not have access to Direct Messages,” although these applications do have such permissions. The issue, Eden said, can be reproduced using the iPhone keys and Google TV keys. 

The main issue here, the researcher says, is that, based on what’s displayed on the OAuth screen, the user might authorized these apps on their device knowing that they do not have access to their DMs, which may contain sensitive information. 

Through the use of the leaked API keys, however, any third-party app would be able to access said private information, which represents a breach of trust, Eden points out. 

The researcher disclosed the findings to Twitter’s security team via HackerOne in early November. Twitter revoked the Google TV API keys soon after, and also decided to launch a “comprehensive review of application permissions,” to find similar issues. 

Last week, before the vulnerability was made public, Twitter’s security team told the researcher that the Android and iOS applications do have access to DMs by default, although they do not inform the user on that. According to them, no information breach resulted from the bug.

“We do not believe anyone was misled by the permissions that these applications had or that their data was unintentionally accessed by the Twitter for iPhone or Twitter for Google TV applications as those applications use other authentication flows. To our knowledge, there was not a breach of anyone’s information due to this issue. There are no actions people need to take at this time,” the team said.

In September, Twitter patched a security vulnerability related to the Account Activity API (AAAPI), which may have caused direct messages to be sent to third-party developers other than the ones users interacted with.

Related: Bug Exposed Direct Messages of Millions of Twitter Users

Related: Twitter Urges Password Changes After Exposing ‘Unmasked’ Credentials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...