DigitalLawUk
- BBC News - US politicians quiz Google on Glass privacy ow.ly/l8hNJ #DigitalLaw 1 day ago
- DigitalLawUK News Summary 17 May 2013 wp.me/p2xfMr-hT 1 day ago
- Sally Bercow pleads innocence over Lord McAlpine Twitter storm | Politics | The Guardian ow.ly/l833Q #DigitalLaw 1 day ago
- Do you trust the Financial Conduct Authority with your personal data? ow.ly/l7S63 #DigitalLaw 1 day ago
- RT @YorkshireUnion: Sign the petition to save legal aid wp.me/p2Q2H0-3n 1 day ago
- EU launches data protection campaign | Click Lancashire ow.ly/l7S2D #DigitalLaw 1 day ago
- FCA regulator to collect and share mortgage borrowers' personal data - Telegraph ow.ly/l7RZY #DigitalLaw 1 day ago
- Its not just the UK where jail can follow a tweet: Twitter activists jailed in Bahrain for insulting King ow.ly/l5Bnu #DigitalLaw 1 day ago
- BBC News - MPs challenge Google over UK tax reporting ow.ly/l5wnY #DigitalLaw 1 day ago
- ICO says business not ready for EU data protection reforms | News | TechRadar ow.ly/l5uuP #DigitalLaw 2 days ago
Countdown to Next Event
Doncaster Law Society Digital Law CPDMay 16th, 2013‘Social Media use, Social Media & The Law, Data Protection Privacy & Security (See Events Page)Blog Stats
- 2,809 hits
Archives
Categories
Meta
DIGITALLAWUK
Data Protection, Privacy & Security, Online Copyright, Social Media & the Law
The issue is the result of a flaw in Twitter’s API (application programming interface) that led to users not being properly informed about what permissions an application will have on their accounts once granted access. Cerrudo described the problem and explained how he discovered it in a blog post published Tuesday.
Applications that allow users to log in with their Twitter accounts have to be registered with Twitter at https://dev.twitter.com/apps. During registration, their developers have to declare the level of access the applications will have on people’s accounts: “read only,” “read and write” or “read, write and access to direct messages.”
When users attempt to log into such an application for the first time using their Twitter accounts, they get redirected to an authorization page on Twitter’s website that lists the permissions requested by the particular application.
The issue was reported to Twitter on Jan. 16 and was addressed in less than 24 hours, he said. They said the issue occurred due to complex code and incorrect assumptions and validations,” Cerrudo said in the blog post.
However, Twitter’s fix does not seem to apply retroactively. After Twitter fixed the issue, the app Cerrudo was testing that already had access to his account continued to display direct messages despite never receiving authorization from him to do so, he said.
Twitter users should check if any of the apps they authorized in the past also gained access to their direct messages without their knowledge, Cerrudo said. This can be done by reviewing their permissions on the Twitter Settings > Apps page.
Cerrudo decided to make this issue public because it can have serious implications and because Twitter did not issue a public advisory or announcement about it. The company should maintain a dedicated page where it can inform users about security issues, he said.
via Researcher: Twitter flaw gave third-party apps unauthorized access to private messages | PCWorld.
Share this:
Like this:
Posted by DigitalLawUK on January 23, 2013 in Comment, News Update and tagged Apps, direct messages, inbox, security, twitter.
Leave a Comment
About DigitalLawUK
Digital Law specialist advising on Data Protection, privacy, security, social media & the law and dispute resolution. Solicitor in England and Wales. Take a look at DigitalLawUK.com for more information on they type of advice we can provide