Search This Blog

Twitter API Bug Enables Third Party Access to User Data

A Twitter API bug discovered earlier this month could have enabled unauthorised third-party developers to access the user data.


An API bug found earlier this month that could host unapproved third-party developers in order to gain access to the user's information on Twitter was as of late looked for and removed by the said social networking site.

The bug was said to affect the permission dialog while approving and authorizing certain applications to twitter and left direct messages to be exposed to the third party without the user's knowledge. Instead of the OAuth token-based method, bug manifested with applications that require a PIN to finish the authorization procedure.

Terence Eden, who found the issue and thusly reported it to Twitter describes it as one coming directly from the official Twitter API keys and the privileged insights being uninhibitedly accessible, enabling the application developers to get to the Twitter API even without the administration's approval.

In spite of the fact that Twitter upheld a few confinements to anticipate imitating the official applications by utilizing the keys to divert to an alternate application than the one they are related with. They utilized a strategy to limit 'callback URLs', so a developer couldn't utilize the API keys with their application.

Yet, shockingly this assurance was not comprehensive, since some applications don't utilize a URL, or they may not bolster call-backs and for these, Twitter at that point resorts to a secondary, PIN based, approval system. Later on, Eden saw that the applications did not demonstrate the correct OAuth details to the user. For reasons unknown, the discourse wrongly informed the user that the application could not be able to access the direct messages, although the inverse was valid.




The researcher submitted his discoveries through HackerOne on November 6 and the issue was acknowledged around the same time subsequent to giving elucidations and exhibiting the privacy violation problem.

Nonetheless Twitter settled the issue on December 6 subsequently informing the analyst that he could distribute the subtleties of his report.


Share it:

API Bug

Twitter

User Privacy