Social networking sites such as Twitter and Facebook have become not just communication hubs, but also authentication mechanisms for third-party sites. Many sites and Web applications allow users to sign in with their Facebook or Twitter credentials rather than registering, which is a nice convenience. That is, until, it turns into a security liability. Security researcher Cesar Cerrudo recently discovered a bug in Twitter’s code that enabled third-party apps to access users’ private direct messages under some circumstances, even when users had not explicitly granted those apps that level of access.
Twitter, like many similar services, gives users the ability to authorize certain third-party applications to access their accounts. This includes things such as the Twitter app for the iPhone or Android devices, the buttons on Web sites that allow users to tweet a link to the site and mobile browsers on smartphones. Those apps can have differing levels of permissions on a given user’s account, depending upon the app and what the user has approved for each app. For example, some apps may request permission to read from and write to your Twitter timeline, see who you follow and update your profile. Others may have those permissions, as well as the ability to access your direct messages, which are meant to be private.
Cerrudo, a security researcher at IOActive, discovered that some third-party applications have the ability to access those DMs regardless of whether a user has allowed that access. While testing a Web application, Cerrudo looked at the functionality that enabled users to sign in to the app with their Twitter credentials and initially saw a page on Twitter that said the app would have permission to read the user’s tweets, post new tweets from his account, see who he follows and who follows him and also update his profile.
The app did not request the ability to access the user’s direct messages. However, after further testing, Cerrudo found that permission level changed after he logged out and signed back in a couple of times. Confused, Cerrudo looked a little deeper to see what was going on.
“I continued playing with the application for some time, viewing the functionality, logging in and out from the application and Twitter, and so on. After logging in to the application, I suddenly saw something strange. The application was displaying all of my Twitter direct messages. This was a huge and scary surprise. I wondered how this was possible. How had the application bypassed Twitter’s security restrictions? I needed to know the answer,” Cerrudo said in an analysis of the bug.
“My surprise didn’t end here. I went to https://twitter.com/settings/applications to check the application settings. The page said ‘Permissions: read, write, and direct messages’. I couldn’t understand how this was possible, since I had never authorized the application to access my ‘private’ direct messages. I realized that this was a huge security hole.” Cerrudo kept digging to discover what was allowing the app to increase its permission level arbitrarily. What he found was the after signing out and logging back in two or three times, the app suddenly gained the ability to view his direct messages on Twitter. What he couldn’t figure out, however, was why this was happening. Cerrudo reported the problem to Twitter’s security team, which developed and deployed a fix quickly.
“Their team was very fast and responsive. They said the issue occurred due to complex code and incorrect assumptions and validations. While I think the Twitter security team is great, I do not think the same of the Twitter vulnerability disclosure policy. The vulnerability was fixed on January 17, 2013, but Twitter has not issued any alerts/advisories notifying users,” Cerrudo said.
Users can check which apps are authorized to access their account and take specific actions on their behalf by going to https://twitter.com/settings/applications.