App poked through Twitter hole, probed my privates - security bod
OAuth permission snafu spooks researcher
Security researchers have outlined the danger that tweeters face if they "save time" by signing into third-party applications using a Twitter account.
Developers can allow users to log into their applications using Twitter or Facebook using the OAuth authentication standard - which saves the user time as well as minimising the number of account login credentials he or she needs to remember. But certain miscreants are abusing the security feature to implement workarounds which violate users' privacy.
Authorised applications typically gain access to a user's Twitter public feed (such as the ability to read tweets from their timeline and see who a user follows). In addition, applications can also be given to ability to post tweets under a user's profile. But third-party applications should not have access to passwords, even after a user signs in with Twitter, as that would defeat the purpose of OAuth. Direct messages also ought to be out of bounds.
However Cesar Cerrudo, chief technology officer at security firm IOActive, discovered it was possible for such third-party applications to obtain access to a user's direct messages without prior notification or permission. Cerrudo came across the issue while experimenting with an application that bundled functionality to access and display Twitter direct messages.
The functionality didn't work initially, and shouldn't work at all, unless the users granted proper authorisation through a second (separate) security permission page.
The page invites users to "Authorize app" instead of "Sign in", which many users might miss in their haste to type in their username and password. Cerrudo didn't grant this permission, but as he continued to experiment with the application, logging in and out from the application and Twitter, he noticed that the application had begun displaying all his Twitter direct messages.
This prompted him towards investigating how the application had bypassed Twitter’s security restrictions.
After some testing, I found that the application obtained access to my private direct messages when I signed in with Twitter for a second or third time. The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its “Sign in with Twitter” web page.
Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorisation, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages.
Cerrudo central concern is that he never authorised the application to gain access to direct messages he sent on Twitter. "I never authorised the application, and I did not encounter a web page requesting my authorisation to give the application access to my private direct messages," he writes.
The security researcher reported the issue to Twitter, which reportedly resolved the problem within 24 hours by 17 January. Cerrudo praises this response but faults Twitter for failing to publish an advisory about the issue.
The two basic morals of the story are that users would do well to think twice before signing in to third-arty apps with their Twitter credentials. And after they sign up, they would do well to periodically check permissions.
"There should be millions of Twitter users (remember Twitter has 200 million active users) that have signed in with Twitter into third-party applications. Some of these applications might have gained access to and might still have access to Twitter users' private direct messages (after the security fix the application I tested still had access to direct messages until I revoked it)," Cerrudo said. ®
I just had an epiphany...
I just realised....all this time people had called me a skeptic, a naysayer, or just a negative-nancy about things like logging in using a Twitter or Facebook account - or effectively using any sort of system or product that wants you to log in or connect with an account from another place....
......it turns out that what to me was a blindingly obvious 'duh!' in that the only reason I could see for them to want me to sign in with a social network login was so they could access all of my data and post their own little threads and invites on my profile, and to my friends - is actually a newsworthy story. I genuinely thought everyone else assumed this was what it was for. It's like the Google toolbar, watching and sending off everything you do to Google's own little collected-data pond.
Wow, maybe people are dumber than I thought.
Re: Eh? What?
Twitter is more than what is available on public feeds. I don't post a lot of public tweets and my profile has no information on it at all, but I do frequently direct message companies' support Twitter accounts (since that results in the fastest response). Direct Messages are supposed to be secured so they frequently contain things like account numbers, phone numbers, addresses, etc. A hacker can grab all that info very easily if they access your Twitter account.
Also, many sites allow "sign in with Twitter". Getting the Twitter user name and password could allow hackers to automatically log into Facebook, Yahoo, Google, etc.
The sort of people who feel the need to send out a 140 character bulletin when they take a dump are worried about privacy?
How does that work?