Feeds

App poked through Twitter hole, probed my privates - security bod

OAuth permission snafu spooks researcher

Build a business case: developing custom apps

Security researchers have outlined the danger that tweeters face if they "save time" by signing into third-party applications using a Twitter account.

Developers can allow users to log into their applications using Twitter or Facebook using the OAuth authentication standard - which saves the user time as well as minimising the number of account login credentials he or she needs to remember. But certain miscreants are abusing the security feature to implement workarounds which violate users' privacy.

Authorised applications typically gain access to a user's Twitter public feed (such as the ability to read tweets from their timeline and see who a user follows). In addition, applications can also be given to ability to post tweets under a user's profile. But third-party applications should not have access to passwords, even after a user signs in with Twitter, as that would defeat the purpose of OAuth. Direct messages also ought to be out of bounds.

However Cesar Cerrudo, chief technology officer at security firm IOActive, discovered it was possible for such third-party applications to obtain access to a user's direct messages without prior notification or permission. Cerrudo came across the issue while experimenting with an application that bundled functionality to access and display Twitter direct messages.

The functionality didn't work initially, and shouldn't work at all, unless the users granted proper authorisation through a second (separate) security permission page.

The page invites users to "Authorize app" instead of "Sign in", which many users might miss in their haste to type in their username and password. Cerrudo didn't grant this permission, but as he continued to experiment with the application, logging in and out from the application and Twitter, he noticed that the application had begun displaying all his Twitter direct messages.

This prompted him towards investigating how the application had bypassed Twitter’s security restrictions.

After some testing, I found that the application obtained access to my private direct messages when I signed in with Twitter for a second or third time. The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its “Sign in with Twitter” web page.

Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorisation, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages.

Cerrudo central concern is that he never authorised the application to gain access to direct messages he sent on Twitter. "I never authorised the application, and I did not encounter a web page requesting my authorisation to give the application access to my private direct messages," he writes.

The security researcher reported the issue to Twitter, which reportedly resolved the problem within 24 hours by 17 January. Cerrudo praises this response but faults Twitter for failing to publish an advisory about the issue.

The two basic morals of the story are that users would do well to think twice before signing in to third-arty apps with their Twitter credentials. And after they sign up, they would do well to periodically check permissions.

"There should be millions of Twitter users (remember Twitter has 200 million active users) that have signed in with Twitter into third-party applications. Some of these applications might have gained access to and might still have access to Twitter users' private direct messages (after the security fix the application I tested still had access to direct messages until I revoked it)," Cerrudo said. ®

Next gen security for virtualised datacentres

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?