NEWS - January 23, 2013
by Carol~ - 1/23/13 12:10 PM
Twitter Bug Changes Application Security Levels on Twitter
A security researcher uncovered a bug in Twitter's code which may have resulted in some third-party applications getting access to private direct messages without the user's explicit approval.
Many Web applications allow users to sign in using their Twitter and Facebook accounts instead of creating yet another account. It is convenient for users and application developers can access user data stored on the social networking site. Cesar Cerrudo, a security researcher with IOActive, stumbled across a flaw in which these applications could wind up with higher levels of access than they should have.
In a post on the IOActive Labs Research blog, Cerrudo described how he was testing a Web application (still under development) which allowed users to sign in with Twitter or Facebook. At the "Sign in" page, Cerrudo saw that the application would be able to view his public tweets, post on his account, see his followers, follow new people, and make changes to the profile. The page also explicitly stated the application would not have access to his Direct Messages or his password.
Continued : http://securitywatch.pcmag.com/none/307241-twitter-bug-changes-application-security-levels-on-twitter
Twitter Bug Allowed Apps to Access Direct Messages Without Permission
Twitter bug gives 3rd-party apps access to users' Direct Messages
Twitter Bug Exposed Direct Messages to Third Party Apps Without User Approval
Twitter Fixes Bug That Allowed Third-Party Apps to Access DMs Without Permission