Many Web applications prompt users to sign in using their Twitter or Facebook accounts. While convenient for users, users have to make sure the applications aren’t accidentally winding up with higher levels of access than they require.
That appears to be what happened when Cesar Cerrudo, a security researcher with IOActive, was testing a Web application and tried signing in with his Twitter account. A bug in Twitter’s code allowed third-party applications to access users’ private direct messages even though the users had not explicitly authorized that level of access, Cerrudo wrote in a blog post Tuesday.
While Twitter’s security team have already closed the flaw, which was the result of “complex code and incorrect assumptions and validations,” Cerrudo said users still need to check their list of authorized applications to make sure all the apps had the correct level of access. Some of the applications might have incorrectly gained access to the user’s private direct messages and may still have access, Cerrudo said.
“After the security fix, the application I tested still had access to direct messages until I revoked it,” Cerrudo wrote.
When Cerrudo first signed in to his test application with his Twitter credentials, he was informed the application would be able to view his public tweets, post on his account, see his followers, follow new people, and make changes to the profile. The application, which is still under development, would not have access to Direct Messages or his password.
Cerrudo realized during testing that even though the application itself had the functionality to access and display Direct Messages, Twitter blocked those actions because of the permission levels that he’d originally set. For the application to be able to display Direct Messages, it would normally have to explicitly request access via an “Authorize app” page. Cerrudo never saw the request during his testing, he said.
After logging in and out of the application and Twitter a few times, he suddenly discovered that the application had been granted permission to “read, write, and see direct messages.”
“It did so without having authorization, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages,” Cerrudo wrote.
From what Cerrudo could tell, the application’s level was originally correctly set to “read and write access,” but after the second or third login attempt, the bug arbitrarily increased the permission level. He was unable to determine what was happening, but reported the issue to Twitter.
Twitter fixed the bug within 24 hours, but the company neglected to inform the users about the security flaw, he said. “Twitter still needs a bit of improvement, especially when it comes to alerting its users about security issues when privacy is affected,” Cerrudo wrote.
More from Fahmida Y. Rashid
- Emissary Panda Hackers Get Selective in Data Heists
- Financial Firms Embrace Cloud With Encryption, Tokenization: Report
- United Airlines Hack Highlights Need for Improved Information Sharing
- CISOs Challenged in C-Suite: Report
- Cyber Attack on Power Grid Could Top $1 Trillion in Damage: Report
- Dyre Malware Gang Targets Spanish Banks
- Ex-employees Have “Easy” Access to Corporate Data: Survey
- Leaked Government Credentials Abundant on Public Web
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
