A flaw in the device that lets you use your Twitter account to login to websites and mobile apps lets those third parties read your private direct messages and send them too, according to Rishi Lakhani, a search marketing consultant.
Lakhani demonstrated the flaw on a Twitter account created by Business Insider. Even though he did not have the password to the account, Lakhani was able to gain control of it within seconds, alter the profile description on the account, and send and receive direct messages.
Business Insider asked Twitter for comment but we have yet to hear back.
It is not clear how many users are affected by the flaw. Twitter has 284 million users and thousands of other companies let users login to their sites and apps via Twitter. Business Insider is one of them.
Lakhani discovered the hole when he tried to use his Twitter account to sign up to Inbound, a forum for digital marketers. He discovered that the login disclosure warned him that the site would be able to read his DMs. Inbound apparently did not realise it had that power over Twitter users on the site. Inbound was doing the same thing that thousands of other companies do: Letting people use their Twitter accounts to login to the site in order to make the registration process go more quickly.
After poking around, Lakhani realised that the API (application programming interface) that Twitter was letting developers use as a login tool let those developers choose one of three options:
- Read Only
- Read Write
- Read Write DM
In other words, a developer who wants to stick one of those login boxes on their site could choose the third option and it would mean that any user who logs in is exposing their direct messages to the site or app. This is what the login choice menu looks like:
Needless to say, the login access is open to abuse, Lakhani says, writing on the Refugeeks website:
A clever spammer could use this tool to their advantage, as it allows some real control over an account’s actions. For example, by time noting user activity, it could be possible to use the account to tweet links for traffic etc when the user is least likely to be using the account, and then delete them. the same goes for DMs.