An application programming interface (API) bug found earlier in December allowed direct messages to be exposed to third-party apps. The bug is reported to have affected the permission dialog while authorizing and approving certain third-party applications to Twitter. The result was that direct messages, Twitter’s internal messaging feature, were exposed to the third party, without knowledge or approval.
Terence Eden discovered the bug and reported through the HackerOne bug bounty platform. HackerOne is a vulnerability coordination and bug bounty program that connects businesses with cybersecurity researchers and is one of the largest cybersecurity firms of its kind. Reporting the bug earned Terence a reward of $2,940.
The flaw is induced when apps that require a PIN to complete the authorization process instead of the using the OAuth protocol. Terence disclosed that some permissions such as that to access direct messages, remained hidden to the Twitter user.
Terence Eden stated:
Many years ago the official Twitter API keys were leaked. This means that app authors who can’t get their app approved by Twitter are still able to access the Twitter API. For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do! In short, users could be tricked into allowing access to their DMs.
Twitter previously enforced some restrictions to combat the issue of API keys being leaked. For example, when logging into the Twitter account, the authorized app could only access a predefined URL. However, because some apps do not use a URL, Twitter made an alternative option, a PIN-based authorization.
“You log in, it provides a PIN, you type the PIN into your app,”. This then allows the app to read direct messages, even though it doesn’t display this.
Twitter fixed the issue on 6 December and allowed Eden to publish the details of his report.