Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Twitter fixed bug could have exposed Direct Messages to third-party apps

Researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party. The flaw is triggered when apps that require a PIN to complete the authorization process instead of the using the OAuth protocol. The expert discovered that some permissions such as that to access direct messages, remained […]

Twitter direct messages

Researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.

The flaw is triggered when apps that require a PIN to complete the authorization process instead of the using the OAuth protocol. The expert discovered that some permissions such as that to access direct messages, remained hidden to the Twitter user.

Terence Eden was awarded $2,940 for reporting the bug to Twitter under the bug bounty program operated through the HackerOne platform. According to Eden, the bug resides in the way the official Twitter API handles keys and secrets that could be accessed by app developers even without the service’s authorization.

“Many years ago the official Twitter API keys were leaked. This means that app authors who can’t get their app approved by Twitter are still able to access the Twitter API.” wrote Eden.

“For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do!

In short, users could be tricked into allowing access to their DMs.”

Twitter implemented some restrictions, the most important one is restricting callback addresses. After successful login, the apps will only return to a predefined URL preventing the abuse of the official Twitter keys to send the user to your app.

The problem is that there are some apps that haven’t a URL or don’t support callbacks. For these apps, Twitter has implemented an alternative authorisation mechanism, users log in, it provides a PIN, they type the PIN into their app.

Twitter direct messages flaw

In this alternative scenario, Eden discovered that apps did not show the correct OAuth details to the user, in particular, that the app was not able to access user direct messages.

Below the bug timeline:

  • 2018-11-06 Submitted via HackerOne
  • 2018-11-06 Provided clarification and PoC. Issue accepted.
  • 2018-11-15 Proposed publication date of 30th November rejected due to US holidays.
  • 2018-11-16 Bug Bounty of $2,940 offered. Filled in the W2 form to say I’m not a US taxpayer.
  • 2018-11-17 Drank a fair amount of cider.
  • 2018-11-21 £2,287.05 deposited in my UK bank account. There was also the option of receiving it via PayPal.
  • 2018-12-06 Twitter fixed the issue and published the bounty payout. They let me know I was clear to publish.
  • 2018-12-14 Published this report.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –Twitter,  hacking)

[adrotate banner="5"]

[adrotate banner="13"]