Twitter Security Flaw Gives Apps Access to Private Direct Messages

Posted by softwareguru on January 29, 2013

We’ve all seen it before: That friendly window that welcomes you to a new mobile app by offering two options to sign in. Option 1 prompts you to create a new account (who has time for that?), and option 2 allows you to sign in through Twitter or Facebook.

Twitter and Facebook Login

Of course, you choose option 2. It’s easy, it’s fast, and it’s “secure” based on the third party app’s disclosure statement about how they’ll use your information. You’re in, and all security worries are forgotten as you have fun with your brand new app.

One Problem: An App Never Forgets.

When you clicked “Sign in through Twitter,” you probably assumed the app would have access to certain public information, like your unprotected Tweets and Facebook posts. In fact, most apps include a sign in page that determines what information the program can access: public tweets, followers, etc. But as a security researcher uncovered earlier this week, bugs in the system can give apps access to private information without user approval.

In the case of the specific Twitter bug in question, a third party app leveraged a privacy setting run-around to access private direct messages without explicit user authorization. While Twitter promptly fixed the security flaw, apps that previously took advantage of the loophole were not reset to original permission levels. This means that until you manually revoke permissions in affected applications, your privacy could still be at risk.

How to Reset Twitter App Privacy Settings

If you have any apps on your smartphone or tablet that use Twitter to log in, it takes just two easy steps to make sure privacy permissions are set appropriately:

1. Visit the “Apps” page on Twitter to see all applications that you have authorized to access your account. This page can be found under “Settings” (see the screenshot below).

2. Scroll down your list of authorized applications, and revoke access for any apps you do not recognize, or any that list inappropriate permissions.

– For example, applications you use regularly to send scheduled messages (like TweetDeck), might say “read, write, and direct messages.”However, apps that have no reason to access your direct messages (like games) should only say, “Permissions: read and write.

3. For more security peace of mind, McAfee All Access with McAfee Mobile Security allows users to easily monitor the privacy access levels of mobile apps, providing automatic reviews and reports while scanning for malicious content.

Twitter Privacy Settings

The Bigger Picture: Why do we log in with Twitter at all?

There’s a larger issue embedded in this story, and it’s an issue of digital identification. Why, in a world where we have just one driver’s license and one passport to identify ourselves internationally, do we still rely on dozens of passwords (or insecure apps like Twitter) for online identification?

It’s an issue I discussed last week in the blog, and one that many companies, McAfee included, are taking very seriously. On one side of the argument, the US government is urging Internet companies to agree upon and adopt a standard, reliable identity-verification system that people can use for any website. We already see examples of this today (like when you log into an app with your Twitter, Facebook, or Google credentials), but the system has not been standardized and is still very insecure.

On the other side, privacy watchdogs have voiced concerns over whether a standardized online identity system would lead to government surveillance, or whether computers are secure enough at any level to be used for these purposes. Smart ID system or not, security vulnerabilities stem from buggy software, and if a user’s digital ID were to be stolen, it could be used to both pose as the user and access all the user’s accounts and data.

The bottom line is that secure ID technology isn’t quite there yet, so it’s still up to you to protect your information when registering for a new website or application. It’s imperative to check security settings on all applications, devices, and social channels (not just Twitter), and you can find a detailed step-by-step for other channels here.

For more on this topic and other important news on consumer threats, be sure to follow us on Twitter @McAfeeConsumer.

Add Your Comment