A bug affecting the permissions dialog when authorizing certain apps to Twitter leaves direct messages exposed to the third-party without the user ever knowing about it.

The flaw manifested with apps that require a PIN to complete the authorization process instead of the OAuth token-based procedure; as a result, some permissions such as that to access direct messages, remained hidden to the Twitter user.

Terence Eden discovered the issue and reported it to Twitter through the HackerOne bug bounty platform. The disclosure earned him a reward of $2,940.

False info on the OAuth authorization dialog

Eden describes the problem as stemming from the official Twitter API keys and secrets being freely available, enabling app developers to access the Twitter API even without the service's approval.

Twitter enforced some restrictions to prevent impersonating the official apps by using the keys to redirect to a different app than the one they are associated with.

One method they used was to restrict 'callback URLs', so when logging into the account, the authorized app could only access a predefined URL. In more simpler terms, a developer could not use the API keys with their app.

This protection was not all-inclusive, Eden explains, because some apps do not use a URL, or they may not support callbacks. For these, Twitter makes available a secondary, PIN-based, authorization mechanism.

"You log in, it provides a PIN, you type the PIN into your app," and the app is authorized to read your Twitter content, he says.

In such cases, Eden noticed that the apps did not show the correct OAuth details to the user. The dialog erroneously informed the user that the app was not able to access direct messages, although the opposite was true.

"For some reason, Twitter's OAuth screen says that these apps do not have access to Direct Messages. But they do!"

The researcher submitted his findings via HackerOne on November 6 and the issue was accepted on the same day after providing clarifications and demonstrating the privacy violation problem.

On December 6, Twitter fixed the issue, announced the bounty payment and informed the researcher that he could publish the details of his report.