App poked through Twitter hole, probed my privates - security bod
OAuth permission snafu spooks researcher
Security researchers have outlined the danger that tweeters face if they "save time" by signing into third-party applications using a Twitter account.
Developers can allow users to log into their applications using Twitter or Facebook using the OAuth authentication standard - which saves the user time as well as minimising the number of account login credentials he or she needs to remember. But certain miscreants are abusing the security feature to implement workarounds which violate users' privacy.
Authorised applications typically gain access to a user's Twitter public feed (such as the ability to read tweets from their timeline and see who a user follows). In addition, applications can also be given to ability to post tweets under a user's profile. But third-party applications should not have access to passwords, even after a user signs in with Twitter, as that would defeat the purpose of OAuth. Direct messages also ought to be out of bounds.
However Cesar Cerrudo, chief technology officer at security firm IOActive, discovered it was possible for such third-party applications to obtain access to a user's direct messages without prior notification or permission. Cerrudo came across the issue while experimenting with an application that bundled functionality to access and display Twitter direct messages.
The functionality didn't work initially, and shouldn't work at all, unless the users granted proper authorisation through a second (separate) security permission page.
The page invites users to "Authorize app" instead of "Sign in", which many users might miss in their haste to type in their username and password. Cerrudo didn't grant this permission, but as he continued to experiment with the application, logging in and out from the application and Twitter, he noticed that the application had begun displaying all his Twitter direct messages.
This prompted him towards investigating how the application had bypassed Twitter’s security restrictions.
After some testing, I found that the application obtained access to my private direct messages when I signed in with Twitter for a second or third time. The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its “Sign in with Twitter” web page.
Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorisation, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages.
Cerrudo central concern is that he never authorised the application to gain access to direct messages he sent on Twitter. "I never authorised the application, and I did not encounter a web page requesting my authorisation to give the application access to my private direct messages," he writes.
The security researcher reported the issue to Twitter, which reportedly resolved the problem within 24 hours by 17 January. Cerrudo praises this response but faults Twitter for failing to publish an advisory about the issue.
The two basic morals of the story are that users would do well to think twice before signing in to third-arty apps with their Twitter credentials. And after they sign up, they would do well to periodically check permissions.
"There should be millions of Twitter users (remember Twitter has 200 million active users) that have signed in with Twitter into third-party applications. Some of these applications might have gained access to and might still have access to Twitter users' private direct messages (after the security fix the application I tested still had access to direct messages until I revoked it)," Cerrudo said. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016