Privacy Flaw In Twitter Lets Other People Read Your Direct Messages - And Send New Ones, Too
Getty / Steve JenningsA flaw in the device that lets you use your Twitter account to login to websites and mobile apps lets those third parties read your private direct messages and send them too, according to Rishi Lakhani, a search marketing consultant.
Lakhani demonstrated the flaw on a Twitter account created by Business Insider. Even though he did not have the password to the account, Lakhani was able to gain control of it within seconds, alter the profile description on the account, and send and receive direct messages.
Business Insider asked Twitter for comment but we have yet to hear back.
It is not clear how many users are affected by the flaw. Twitter has 284 million users and thousands of other companies let users login to their sites and apps via Twitter. Business Insider is one of them.
Lakhani discovered the hole when he tried to use his Twitter account to sign up to Inbound, a forum for digital marketers. He discovered that the login disclosure warned him that the site would be able to read his DMs. Inbound apparently did not realise it had that power over Twitter users on the site. Inbound was doing the same thing that thousands of other companies do: Letting people use their Twitter accounts to login to the site in order to make the registration process go more quickly.
After poking around, Lakhani realised that the API (application programming interface) that Twitter was letting developers use as a login tool let those developers choose one of three options:
- Read Only
- Read Write
- Read Write DM
In other words, a developer who wants to stick one of those login boxes on their site could choose the third option and it would mean that any user who logs in is exposing their direct messages to the site or app. This is what the login choice menu looks like:
Rishi Lakhani
Needless to say, the login access is open to abuse, Lakhani says, writing on the Refugeeks website:
A clever spammer could use this tool to their advantage, as it allows some real control over an account's actions. For example, by time noting user activity, it could be possible to use the account to tweet links for traffic etc when the user is least likely to be using the account, and then delete them. the same goes for DMs.
- I got a $40K raise using this 30-second strategy. It made me realize loud work, not hard work, always wins.
- Qatar Airways' new CEO explains why it's sticking with the Airbus A380 as other airlines retire the costly superjumbo
- Prince Harry and Meghan found out about Kate Middleton's cancer diagnosis on TV like everyone else, report says
- BenQ Zowie EC2-CW review – Premium wireless mouse for gamers
- Banks' GNPAs set to improve further to 2.1 pc by FY25: Care Ratings
- FPIs make remarkable comeback, infuse ₹2 lakh cr in FY24
- PM Modi and Bill Gates discuss AI, climate change, millets and more
- Consuming excessive salt and inadequate potassium, protein is making North Indians prone to life-threatening diseases: Study