Imagine the scenario. You’re trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions – phew – it doesn’t want to access your Direct Messages.

You authorise it – whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. Tragic!

What’s going on?

Many years ago the official Twitter API keys were leaked. This means that app authors who can’t get their app approved by Twitter are still able to access the Twitter API.

For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do!

In short, users could be tricked into allowing access to their DMs.

Restrictions

There are some restrictions which Twitter has put in place in the name of good security. The most important of these is restricting callback addresses. After successful login, the apps will only return to a predefined URL. That means you can’t take the official Twitter keys and send the user to your app. This is a sensible security decision.

Except… Not every app has a URL. Or supports callbacks. Or is an actual app. Twitter has a secondary authorisation mechanism for such cases. You log in, it provides a PIN, you type the PIN into your app.

It appears that these official PIN apps don’t display the correct OAuth information to the user.

Fixing it

After reporting this, Twitter audited their old apps and assures me the issue is now fixed.

I suspect that the older apps were never designed to access DMs, but were upgraded behind the scenes at some point.

Timeline