Bug Gives Twitter Apps More Permissions Than Shown
Twitter recently addressed a security vulnerability that resulted in certain applications not correctly showing all of the permissions they had.
Discovered by Terence Eden, the vulnerability only affected a select set of applications authenticated using a PIN or non-intended OAuth flow. In such cases, the permission dialog would not provide users with full details on what the app could access.
The researcher discovered that the “OAuth screen can be tricked into saying that an app cannot read Direct Messages,” although the application actually had access to those messages.
The root cause of the issue, Eden says, is that developers can create software using the official Twitter API keys that were leaked online several years ago. These keys provide developers with access to Twitter API even if Twitter hasn’t approved the applications, the researcher claims.
Moreover, he reveals that “Twitter’s OAuth screen says that these apps do not have access to Direct Messages,” although these applications do have such permissions. The issue, Eden said, can be reproduced using the iPhone keys and Google TV keys.
The main issue here, the researcher says, is that, based on what’s displayed on the OAuth screen, the user might authorized these apps on their device knowing that they do not have access to their DMs, which may contain sensitive information.
Through the use of the leaked API keys, however, any third-party app would be able to access said private information, which represents a breach of trust, Eden points out.
The researcher disclosed the findings to Twitter’s security team via HackerOne in early November. Twitter revoked the Google TV API keys soon after, and also decided to launch a “comprehensive review of application permissions,” to find similar issues.
Last week, before the vulnerability was made public, Twitter’s security team told the researcher that the Android and iOS applications do have access to DMs by default, although they do not inform the user on that. According to them, no information breach resulted from the bug.
“We do not believe anyone was misled by the permissions that these applications had or that their data was unintentionally accessed by the Twitter for iPhone or Twitter for Google TV applications as those applications use other authentication flows. To our knowledge, there was not a breach of anyone’s information due to this issue. There are no actions people need to take at this time,” the team said.
In September, Twitter patched a security vulnerability related to the Account Activity API (AAAPI), which may have caused direct messages to be sent to third-party developers other than the ones users interacted with.