The safety of signing into third-party applications using Twitter credentials has been called into question, after a researcher discovered that an application bypassed the social network’s security to access restricted information from his account.
Cesar Cerrudo of IOActive Labs claims his direct messages on Twitter were exposed by a web application he was experimenting with, even though his privacy settings should have prevented access.
With more and more third-party services offering us to sign in using our social network details, the usually sceptical Cerrudo says he would not have used his Twitter login data if the application hadn’t assured him that it would access only public posts and follower information, and not his direct messages.
Meanwhile, his Twitter settings specified that a third-party application would have to explicitly request permission to access his messages, and yet the app "did so without having authorization, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages."
Cerrudo warned that even after Twitter had issued a security fix for the problem, the application still had access to his direct messages until he actively revoked it. Given the micro-blogging site’s huge user-base, Cerrudo says millions are at risk from such a breach having likely used their login details on separate applications in the past.
“Since Twitter, has not alerted its users of this issue, I think we all need to spread the word,” he concluded.