Twitter fixes bug that lets unauthorized apps get access to DMs

Back in 2013, the OAuth keys and secrets that official Twitter apps use to access users’ Twitter accounts were disclosed in a post to Github… a leak that meant that authors didn’t need to get their app approved by Twitter to access the Twitter API.

Years later, the chickens are still coming home to roost: on Friday, researcher Terence Eden posted about finding a bug in the OAuth screen that stems from a fix that Twitter used to limit the security risks of the exposed keys and secrets. The bug involved the OAuth screen saying that some apps didn’t have access to users’ Direct Messages… which was a lie. In fact, they did.

Imagine the airing of dirty laundry that could ensue, Eden said:

You’re trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions – phew – it doesn’t want to access your Direct Messages.

You authorise it – whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. Tragic!

Eden explained that Twitter put in place some safeguards following the publishing of its OAuth keys and secrets, the most important being that it restricts so-called callback addresses. After the apps successfully login, they then return only to a predefined URL. In other words, a developer can’t use the API keys with their app.

The problem is, not all apps have a URL, or support callbacks, or are, in fact, actual apps. For those situations, Twitter provides a secondary, PIN-based authorization method. “You log in, it provides a PIN, you type the PIN into your app,” and the app is authorized to read your Twitter content, Eden explained.

That’s the spot where the bogus OAuth information was being fed to the user, Eden said. The dialog was erroneously telling the user that the app couldn’t access direct messages, though it could. Eden:

For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do!

Eden submitted his findings via HackerOne on 6 November. After Eden clarified some points for Twitter, it accepted the issue on that same day.

Twitter fixed the bug on 6 December, announced that it was paying Eden a bounty of $2,940 and gave him the go-ahead to publish the details of his report.

Eden told media outlets that by using his proof of concept, he was able to read his own direct messages, along with those of a dummy account he had created.

It would have been a difficult attack to pull off, he said:

An attacker would have had to convince you to click on a link, sign in, then type a PIN back into the original app. Given that most apps request DM access – and that most people don’t read warning screens – it is unlikely that anyone was mislead by it.

Twitter agrees and said that users don’t have to lift a finger: there’s no danger of our DMs being intercepted. From its summary on the HackerOne report:

We do not believe anyone was mislead [sic] by the permissions that these applications had or that their data was unintentionally accessed by the Twitter for iPhone or Twitter for Google TV applications as those applications use other authentication flows. To our knowledge, there was not a breach of anyone’s information due to this issue. There are no actions people need to take at this time.