Third-Party Twitter Apps Can Access Your Private Messages Without Authorization

http://www.flickr.com/photos/factoryjoe/3407916147/

Any third-party Twitter app developer can currently ask you to authorize software using OAuth under the pretense that they will not be able to access any of your private – both sent and received – messages, while in fact they easily can. TechCrunch was contacted by developer Simon Colijn, who hopes to make as many people aware of this privacy issue – or disaster, if you will – as possible.

Colijn created this test application to prove that the anomaly with the authorization process actually exists. You can use a dummy account if you’re not comfortable clicking anything on that page, but I just ran a test with my personal Twitter account.

Sure enough, I was shown an authorization screen that explicitly told me that the app would not be able to access my private messages … after which it swiftly did in mere seconds. To be clear, the developer had selected the option ‘Read-only’, which means he wasn’t supposed to be able to fetch (and thus download and store) my direct Twitter messages at all.