The Last HITB Security Conference in Malaysia

Hands-on Technical Trainings - 13th & 14th October

http://conference.hitb.org/hitbsecconf2014kul/#tile_schedule

Triple-Track Conference - 15th & 16th October

http://conference.hitb.org/hitbsecconf2014kul/conference-speakers/

 

Capture the Flag - 15th & 16th October

http://conference.hitb.org/hitbsecconf2014kul/capture-the-flag/

HackWEEKDAY - 15th & 16th October

http://conference.hitb.org/hitbsecconf2014kul/hackweekday/

CommSec Village - 15th & 16th October

http://conference.hitb.org/hitbsecconf2014kul/commsec-village/

REGISTER ONLINE NOW

Third-Party Twitter Apps Can Access Your Private Messages Without Authorization

http://www.flickr.com/photos/factoryjoe/3407916147/

Any third-party Twitter app developer can currently ask you to authorize software using OAuth under the pretense that they will not be able to access any of your private – both sent and received – messages, while in fact they easily can. TechCrunch was contacted by developer Simon Colijn, who hopes to make as many people aware of this privacy issue – or disaster, if you will – as possible.

Colijn created this test application to prove that the anomaly with the authorization process actually exists. You can use a dummy account if you’re not comfortable clicking anything on that page, but I just ran a test with my personal Twitter account.

Sure enough, I was shown an authorization screen that explicitly told me that the app would not be able to access my private messages … after which it swiftly did in mere seconds. To be clear, the developer had selected the option ‘Read-only’, which means he wasn’t supposed to be able to fetch (and thus download and store) my direct Twitter messages at all.