Security researcher discovered a bug in twitter which could have exposed direct messages to third-party apps.
The flaw was discovered by security researcher Terence Eden and said that the permissions dialogue when authorizing certain apps to twitter allow third-party apps to access users direct messages.
The flaw occurs with apps which require a PIN to complete the authorization process instead of the OAuth protocol. In this, some permission like access to direct messages remains hidden to the users.
According to the researcher, the bug is due to the way official Twitter API handles keys and secrets by making it freely accessible to app developers without any service authorization.
Although Twitter has put in place some restrictions such as restricting callback addresses. After a successful login, the apps will only return to a predefined URL which means the developer cannot use official Twitter keys with their app.
Here not every app have a URL Or supports callbacks .in such cases twitter uses the secondary authorisation mechanism which is PIN-based authorisation process.
“You log in, it provides a PIN, you type the PIN into your app”. The app is then authorized to view your content.
The researcher observed that official PIN apps do not show the correct OAuth details to the user. In the dialogue box, it shows the apps don’t have access to users direct messages, but the truth is they have access.
The researcher submitted his findings via HackerOne on November 6 and was accepted on the same day after providing clarification and PoC.
On December 6, Twitter fixed the issue and the researcher was awarded $2,940 for reporting the bug.
You may be interested in reading:New Variants of Shamoon Disk-Wiping Malware Uploaded to VirusTotal