Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Twitter Bug Exposed Direct Messages to Third Party Apps Without User Approval

Many Web applications prompt users to sign in using their Twitter or Facebook accounts. While convenient for users, users have to make sure the applications aren’t accidentally winding up with higher levels of access than they require.

Many Web applications prompt users to sign in using their Twitter or Facebook accounts. While convenient for users, users have to make sure the applications aren’t accidentally winding up with higher levels of access than they require.

That appears to be what happened when Cesar Cerrudo, a security researcher with IOActive, was testing a Web application and tried signing in with his Twitter account. A bug in Twitter’s code allowed third-party applications to access users’ private direct messages even though the users had not explicitly authorized that level of access, Cerrudo wrote in a blog post Tuesday.

While Twitter’s security team have already closed the flaw, which was the result of “complex code and incorrect assumptions and validations,” Cerrudo said users still need to check their list of authorized applications to make sure all the apps had the correct level of access. Some of the applications might have incorrectly gained access to the user’s private direct messages and may still have access, Cerrudo said.

“After the security fix, the application I tested still had access to direct messages until I revoked it,” Cerrudo wrote.

When Cerrudo first signed in to his test application with his Twitter credentials, he was informed the application would be able to view his public tweets, post on his account, see his followers, follow new people, and make changes to the profile. The application, which is still under development, would not have access to Direct Messages or his password.

Cerrudo realized during testing that even though the application itself had the functionality to access and display Direct Messages, Twitter blocked those actions because of the permission levels that he’d originally set. For the application to be able to display Direct Messages, it would normally have to explicitly request access via an “Authorize app” page. Cerrudo never saw the request during his testing, he said.

After logging in and out of the application and Twitter a few times, he suddenly discovered that the application had been granted permission to “read, write, and see direct messages.”

Advertisement. Scroll to continue reading.

“It did so without having authorization, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages,” Cerrudo wrote.

From what Cerrudo could tell, the application’s level was originally correctly set to “read and write access,” but after the second or third login attempt, the bug arbitrarily increased the permission level. He was unable to determine what was happening, but reported the issue to Twitter.

Twitter fixed the bug within 24 hours, but the company neglected to inform the users about the security flaw, he said. “Twitter still needs a bit of improvement, especially when it comes to alerting its users about security issues when privacy is affected,” Cerrudo wrote.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.