Imagine the scenario. You’re trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions – phew – it doesn’t want to access your Direct Messages.
You authorise it – whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. Tragic!
What’s going on?
Many years ago the official Twitter API keys were leaked. This means that app authors who can’t get their app approved by Twitter are still able to access the Twitter API.
For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do!
In short, users could be tricked into allowing access to their DMs.
There are some restrictions which Twitter has put in place in the name of good security. The most important of these is restricting callback addresses. After successful login, the apps will only return to a predefined URL. That means you can’t take the official Twitter keys and send the user to your app. This is a sensible security decision.
Except… Not every app has a URL. Or supports callbacks. Or is an actual app. Twitter has a secondary authorisation mechanism for such cases. You log in, it provides a PIN, you type the PIN into your app.
It appears that these official PIN apps don’t display the correct OAuth information to the user.
After reporting this, Twitter audited their old apps and assures me the issue is now fixed.
I suspect that the older apps were never designed to access DMs, but were upgraded behind the scenes at some point.
- 2018-11-06 Submitted via HackerOne
- 2018-11-06 Provided clarification and PoC. Issue accepted.
- 2018-11-15 Proposed publication date of 30th November rejected due to US holidays.
- 2018-11-16 Bug Bounty of $2,940 offered. Filled in the W2 form to say I’m not a US taxpayer.
- 2018-11-17 Drank a fair amount of cider.
- 2018-11-21 £2,287.05 deposited in my UK bank account. There was also the option of receiving it via PayPal.
- 2018-12-06 Twitter fixed the issue and published the bounty payout. They let me know I was clear to publish.
- 2018-12-14 Published this report.