PRIVACY BREACH: All Twitter DM's Can be Read by Every App?

....A few months ago, after Twitter had implemented its OAuth authorisation system, I was hired to put together a Twitter toy application – one of those little web pages that offers some sort-of-interesting statistic about your tweets, as long as you log in with your Twitter account. Of course, it then invites you to tweet that statistic out to your friends – along with a link and a small advertising message.

The trouble is that Twitter's authorisation process makes no distinction between small toys like that and big applications like TweetDeck that handle your entire account. Toys only need to read public messages and perhaps tweet once, but usually request, and are being given "read and write" permission, which means they can do every action Twitter can provide an authorised user: the power to change profile pictures, follow and block users, and – crucially – read direct messages. Changing your password doesn't lock them out either; you need to explicitly revoke their access.

So if I wanted to, I could use the authorisations given to the toy application to download the direct messages of all of its thousands of users. I'm not going to, of course – it's illegal and unethical – but curiosity is a powerful thing. Imagine a web page that simply asks "Whose inbox would you like to read?". Would you trust everyone you know not to use it? How about everyone they know? What if the attack had already been performed by someone else, and they'd actively leaked those messages to the world – would you still be able to resist seeing what was in your friends' inboxes if the damage was already done?

Using existing applications' permissions isn't the only potential attack. Toy applications with poor security could provide a back door into people's Twitter accounts without their creators' knowledge. And those with espionage on their minds could create an application that works as advertised until it sees a particular user; the world's millions of inboxes might not be of interest, but specific ones might be.

.....without wanting to scaremonger, I'd say that unless Twitter starts using granular, Facebook-like authorisation, it's a matter of when – not if – an application goes rogue. Mischief isn't a strong motivator for releasing personal data (the risks are too high) but it only takes one script-kiddie cracker with a desire for notoriety, and suddenly The Pirate Bay is serving "two-million-twitter-DMs.rar" to anyone who's interested.

The bottom line is this: almost every Twitter application you authorise, no matter how trivial, has near-complete control over your account. This is not a new revelation, but it still takes a lot of people by surprise. If you haven't recently checked the Connections page of your Twitter account to see which applications you've authorised, you should. And revoke them unless you're certain you want to take the risk of them going rogue at some point. -

(via Guardian) h/t @JustMeFi via @jabolins

Copyright © Jewish Internet Defense Force
All Rights Reserved

The views expressed on this website do not necessarily reflect the views of the JIDF. The content is not intended to malign any religion, ethnic group, club, organization, company or individual. This site's intention is to do no harm, to not injure others, defame, or libel. All data and information provided on this site is for informational, educational, and/or entertainment purposes only. The Jewish Internet Defense Force (JIDF) makes no representations as to accuracy, currentness, correctness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use, or access to this site. We are not responsible for translation or interpretation of content. We are not responsible for defamatory statements bound to government, religious or other laws from the reader’s country of origin. All information is provided on an as-is basis with no warranties, and confers no rights. We are not responsible for the actions, content, accuracy, opinions expressed, privacy policies, products or services or for any damages or losses, directly or indirectly, caused or alleged to have been caused as a result of your use or reliance on such information on the Jewish Internet Defense Force site. This site includes links to other sites and blogs operated by third parties. These links are provided as a convenience to you and as an additional avenue of access to the information contained therein. We have not reviewed all of the information on other sites and are not responsible for the content of any other sites or any products or services that may be offered through other sites. The inclusion of these links in no way indicates their endorsement, support or approval of the contents of this site or the policies or positions of the JIDF. We have the right to edit, remove or deny access to content that is determined to be, in our sole discretion, unacceptable. These Terms and Conditions of Use apply to you when you view, access or otherwise use this blog and the Website. The JIDF is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to
Related Posts with Thumbnails