Feeds

App poked through Twitter hole, probed my privates - security bod

OAuth permission snafu spooks researcher

Providing a secure and efficient Helpdesk

Security researchers have outlined the danger that tweeters face if they "save time" by signing into third-party applications using a Twitter account.

Developers can allow users to log into their applications using Twitter or Facebook using the OAuth authentication standard - which saves the user time as well as minimising the number of account login credentials he or she needs to remember. But certain miscreants are abusing the security feature to implement workarounds which violate users' privacy.

Authorised applications typically gain access to a user's Twitter public feed (such as the ability to read tweets from their timeline and see who a user follows). In addition, applications can also be given to ability to post tweets under a user's profile. But third-party applications should not have access to passwords, even after a user signs in with Twitter, as that would defeat the purpose of OAuth. Direct messages also ought to be out of bounds.

However Cesar Cerrudo, chief technology officer at security firm IOActive, discovered it was possible for such third-party applications to obtain access to a user's direct messages without prior notification or permission. Cerrudo came across the issue while experimenting with an application that bundled functionality to access and display Twitter direct messages.

The functionality didn't work initially, and shouldn't work at all, unless the users granted proper authorisation through a second (separate) security permission page.

The page invites users to "Authorize app" instead of "Sign in", which many users might miss in their haste to type in their username and password. Cerrudo didn't grant this permission, but as he continued to experiment with the application, logging in and out from the application and Twitter, he noticed that the application had begun displaying all his Twitter direct messages.

This prompted him towards investigating how the application had bypassed Twitter’s security restrictions.

After some testing, I found that the application obtained access to my private direct messages when I signed in with Twitter for a second or third time. The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its “Sign in with Twitter” web page.

Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorisation, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages.

Cerrudo central concern is that he never authorised the application to gain access to direct messages he sent on Twitter. "I never authorised the application, and I did not encounter a web page requesting my authorisation to give the application access to my private direct messages," he writes.

The security researcher reported the issue to Twitter, which reportedly resolved the problem within 24 hours by 17 January. Cerrudo praises this response but faults Twitter for failing to publish an advisory about the issue.

The two basic morals of the story are that users would do well to think twice before signing in to third-arty apps with their Twitter credentials. And after they sign up, they would do well to periodically check permissions.

"There should be millions of Twitter users (remember Twitter has 200 million active users) that have signed in with Twitter into third-party applications. Some of these applications might have gained access to and might still have access to Twitter users' private direct messages (after the security fix the application I tested still had access to direct messages until I revoked it)," Cerrudo said. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.