Many Web applications prompt users to sign in using their Twitter or Facebook accounts. While convenient for users, users have to make sure the applications aren’t accidentally winding up with higher levels of access than they require.
That appears to be what happened when Cesar Cerrudo, a security researcher with IOActive, was testing a Web application and tried signing in with his Twitter account. A bug in Twitter’s code allowed third-party applications to access users’ private direct messages even though the users had not explicitly authorized that level of access, Cerrudo wrote in a blog post Tuesday.
While Twitter’s security team have already closed the flaw, which was the result of “complex code and incorrect assumptions and validations,” Cerrudo said users still need to check their list of authorized applications to make sure all the apps had the correct level of access. Some of the applications might have incorrectly gained access to the user’s private direct messages and may still have access, Cerrudo said.
“After the security fix, the application I tested still had access to direct messages until I revoked it,” Cerrudo wrote.
When Cerrudo first signed in to his test application with his Twitter credentials, he was informed the application would be able to view his public tweets, post on his account, see his followers, follow new people, and make changes to the profile. The application, which is still under development, would not have access to Direct Messages or his password.
Cerrudo realized during testing that even though the application itself had the functionality to access and display Direct Messages, Twitter blocked those actions because of the permission levels that he’d originally set. For the application to be able to display Direct Messages, it would normally have to explicitly request access via an “Authorize app” page. Cerrudo never saw the request during his testing, he said.
After logging in and out of the application and Twitter a few times, he suddenly discovered that the application had been granted permission to “read, write, and see direct messages.”
“It did so without having authorization, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages,” Cerrudo wrote.
From what Cerrudo could tell, the application’s level was originally correctly set to “read and write access,” but after the second or third login attempt, the bug arbitrarily increased the permission level. He was unable to determine what was happening, but reported the issue to Twitter.
Twitter fixed the bug within 24 hours, but the company neglected to inform the users about the security flaw, he said. “Twitter still needs a bit of improvement, especially when it comes to alerting its users about security issues when privacy is affected,” Cerrudo wrote.