[ISN] Twitter flaw gave third-party apps unauthorized access to private messages, researcher says

https://www.networkworld.com/news/2013/012213-twitter-flaw-gave-third-party-apps-266030.html By Lucian Constantin IDG News Service January 22, 2013 Users who signed into third-party Web or mobile applications using their Twitter accounts might have given those applications access to their Twitter private “direct” messages without knowing it, according to Cesar Cerrudo, the chief technology officer of security consultancy firm IOActive. The issue is the result of a flaw in Twitter’s API (application programming interface) that led to users not being properly informed about what permissions an application will have on their accounts once granted access. Cerrudo described the problem and explained how he discovered it in a blog post published Tuesday. Twitter has disruptions after hectic time during inauguration of U.S. president Applications that allow users to log in with their Twitter accounts have to be registered with Twitter at https://dev.twitter.com/apps. During registration, their developers have to declare the level of access the applications will have on people’s accounts: “read only,” “read and write” or “read, write and access to direct messages.” When users attempt to log into such an application for the first time using their Twitter accounts, they get redirected to an authorization page on Twitter’s website that lists the permissions requested by the particular application. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org