Update

A number of devs I am speaking to highlight that the flaw isn’t necessarily a security one, but just one of limiting the type of access that devs have when building apps. I still think that the way the access is granted is ridiculous, but also understand that apps such as hoot suite etc need advance permissions. However should there be limitations to the way that data can be stored by app developers?

While writing a post, I came across a serious flaw in the way the twitter API bundles access to apps which could have serious privacy issues (in my mind anyway!).

The background

I am a long time user of Inbound, who allow access to the site using the twitter api access. In early 2013, I wasn’t happy with the way they were requesting access via twitter.

Credit to them, they reverted their API access to a reasonable level, and I stayed on a signed user. Then one day the tool asked me to re-authorise their access. As I was about to click OK, something caught my eye. Their permissions – they had changed AGAIN! And this time, they were worse than the previous versions:

Read Tweets from your timeline.

See who you follow, and follow new people.

Update your profile.

Post Tweets for you.

Access your direct message

And that resulted me in writing this post http://refugeeks.com/dear-inbound-wtf-wrong/

As per usual, Inbound tried to do what it could by removing at least one level of access – namely access to read your direct messages. The other flaws still remained. When I questioned them, Ed Fry confirmed that they had no way to reduce the permission bundles:

@edfryed @Inboundorg @randfish So twitter integration is to blame for that access? Maybe we need to highlight that. — Rishi Lakhani (@rishil) November 21, 2014

The screenshot in question:

Was I being Overcautious?

A couple of people called me out saying I was reading too much into it, and that I shouldn’t be worried. After all, surely privacy settings couldn’t be overridden as easily by random apps by using the standard twitter authorisation?

I decided to dig further and set up an experiment to prove my hypothesis. The only problem was/is, I am no developer. So I reached out to a private online marketers community I am part of asking for help, while trying to keep the details vague.

Expanding on the Permissions

Typically sites or apps can use twitter API to create an auth login so you don’t need to sign up to the app or site independently.

So when you create a “login” with twitter access to a site, the permissions you can allow your app or website are one of the three below.

Only three permission groups

Read Only,

Read Write,

Read Write DM.

Right now, anyone who signs in using apps or sites with the option 3 may have their direct messages readable by app creator. Option 2 lets them edit your profile and follow whoever they like…

Make sense?

By limiting the way twitter app developers build apps through only these three permission groups they may be exposing people to snooping and spamming. A lot of app developers are jumping into the latter two permissions as the read only access is pretty basic.

The Privacy Flaw Hypothesis

Flaw 1. These latter two options allow you to edit profiles and follow whoever they want.

Flaw 2 . The DM auth let’s devs read, write direct messages.

. The DM auth let’s devs read, write direct messages. Flaw 3 . The Read Write access also allows a host of other actions such as delete tweets, add new followers, remove a host of follows, add tweets etc.

. The Read Write access also allows a host of other actions such as delete tweets, add new followers, remove a host of follows, add tweets etc. Overall Hypothesis – the user can be made ignorant of these changes, i.e they wont know unless they looked for them.

– the user can be made ignorant of these changes, i.e they wont know unless they looked for them. Overall Hypothesis 2 – we could build a tool that would allow ANYONE to make these changes to twitter accounts and read recent messages as long as the account had authorised the app.

TL;DR: I need to prove that an ordinary read DM access lets the DMs be read, which is a privacy flaw in my opinion. These are recent changes, I wonder how many apps get access to these private messages?

Building the Twitter Access Tool for Spamming and Snooping

So I reached out to my network for someone who might be willing to work with me on a “twitter tool” without specifying the details. To my delight, Shane, a really talented social tools dev, responded.

These are our conversations:

Me:

I would like to create a twitter app that would let me:

1. Change people’s profiles 2. Send direct messages to their followers 3. Read the app users direct messages. Is this something you can develop? Before you get worried – it’s not for dodgy usage

Shane:

Change profiles – easy enough https://dev.twitter.com/overview/api/users

Send DM’s also easy enoguh – https://dev.twitter.com/rest/reference/post/direct_messages/new

Again not too trivial https://dev.twitter.com/rest/reference/get/direct_messages

I do have a base Twitter Auth template too that I should be able to plug this in to

Me:

I want to use the API to test if spying into DMs and changing profiles can happen without users knowing. That’s the story – I don’t know if it is possible for sure. We just need a test to try.

As we Expected

A few days later shane reached out to me, and the first message said it all:

Well shit…

It’s done and the results are probably what you were expecting. I’ve authed an account with twitter

I’ve logged out etc

I’ve gone to a hidden page in incognito

I can update any user that has authed’s bio

I can read their recent DM’s

I can DM their friends

We can do anything with this too

Follow / Unfollow people, message people, delete the whole accounts tweets

Wow

Wow indeed. So my theory WAS right. Our test tool is built. If we can get people to use that tool to auth their twitter profiles with, we would have a lot of access to their twitter accounts. And it wasn’t hard to do.

The Twitter Snooping and Spamming App – Testing

So here are the steps to test this:

1) Register a new Twitter account (throwaway because you dont want to use your own!)

2) Authorise it to our app http://shanejones.co.uk/twitter-access/

The auth screen ought to give you the same warnings as I have highlighted in this post http://refugeeks.com/dear-inbound-wtf-wrong/

3) Follow that throwaway account with your own (if you want to test direct messages) – this wont give us access to your messages, except for the message you send it

4) Use our public facing – i.e no login, no security landing page to test the theory

- That admin access will let you see which accounts are signed up to the app.

- It will allow you to see the last few DMs sent and received

- It will allow you to SEND dms

- It will allow you to change their profile

As you can see – these permissions let you do a lot – we didnt build the full suite, we we could technically unfollow anyone, follow anyone and delete the full following account if we want.Additional bonus: That admin screen doesnt require any sign in as we built it – this means that anyone with that link can access these accounts and change at will.

Step By Step Testing

For the prupose of the test, Shane and I each created a throwaway account. The test profiles we have:

No lets see what we can do with this tool – remember – all the usage of the admin screen are done LOGGED out of twitter.

I can read DMs Received and DMs Sent!

Lets change the profile – below is the original profile:

Now go into the tool:

And lets see if its changed:

Can I spam with links?

Yes I can!

What about DMs?

Successfully send a DM with a link!

Clever Manipulation

Interestingly, a clever spammer could use this tool to their advantage, as it allows some real control over an accounts actions. For example, by time noting user activity, it could be possible to use the account to tweet links for traffic etc when the user is least likely to be using the account, and then delete them. the same goes for DMs. For users who don’t heavily control their following, we could slowly follow a number of accounts that we like, gradually. We could also unfollow other accounts to keep the follow/unfollow ratio stable if we chose to. DMs can be deleted and monitored, so if someone complains about a DM, we could technically send a “sorry – mistake!” message, and just delete the conversation.

In fact there are so many ways to use this, its boggling.

Is Twitter to blame?

People like me think that this is way too much access, and that the access is too easily gained. Others may argue that the oAuth screen clearly tells you that this access is being granted.

As you can see, the twitter screen does make it clear. However, do people really realise the level of control being granted? Maybe, maybe not. I just wanted to highlight this as clearly as possible. There are some legitimate reasons to have this access, but maybe some filters need to go into play when allowing the app developer to access messages and profiles without user knowledge.

From the Developer

I asked Shane to put his thoughts down, and explain how this works and if its easy enough for any dev to do.

The App.

This app is a really basic example of a Twitter app, all the code to build this app is available online(https://github.com/abraham/twitteroauth) and from a quick browse of the Twitter developer documentation(https://dev.twitter.com/overview/documentation). It follows a basic oAuth flow to get a user authenticated and then gives us the option to query the API using Twitters many endpoints (https://dev.twitter.com/rest/public) this is a typical flow that pretty much all Twitter apps will follow.

How can we pretend to be you?

When you authorise an account with Twitter, the API will return you a set of access tokens, these strings of data are used with the applications keys to query Twitters API as the authenticated users. It is 100% up to the developer to if they want or need to store these keys. Should they store these keys, there is nothing stopping the app accessing your account through the API on your behalf at any time.

Now if you have a read access application this isn’t so bad. It will just mean they can access the data that is already publicly accessible through the Twitter website.

It gets interesting when the app has read/write or read/write and direct messages access. The app in this case would have full access to your account, it could post messages to your timeline, share pictures, delete tweets, follow or unfollow new accounts the list goes on. In the case of the direct message access the app could send direct messages and also gain access to any sensitive information you may have sent people via a DM on twitter.

A suggestion.

Having built hundreds of apps over the years it’s safe to say Facebook is a lot clearer with their API. Rather than having 3 options for the data you can request, Facebook required that the authenticating user must accept many individual permissions depending on the data the app would like to use.

At the moment Twitter only has 3 options for authentication. If it moved to a similar system to Facebook they could make an app ask for specific permissions rather than a top level grouping that they already have.

Protecting yourself from Snooping and Spamming on Twitter.

Do you know how many apps you have connected with Twitter? Head over to Twitters apps page(https://twitter.com/settings/applications) in your profile and you can see all the apps connected.

Here you will see everything including the access level. If you haven’t used an app in there for a while, revoke the access. If you see an app that has the read and write and direct messages permission, then see how its being used and if that app is a legitimate one. Most apps shouldn’t NEED that access, and if you grant the access, you are exposing your private messages to a third party.