We routinely authorize different apps to have limited access to our Twitter accounts. However, many of these apps can easily exceed the accorded permissions to send out DMs from a user’s account without his or her knowledge.
Apparently, the vulnerability has been around for quite some time but Twitter didn’t deem it important enough to patch it. To cite an example, when you connect Twitpic to your connect, the app says that it will be able to read your tweets, see your follow list and your followers, update your profile and post tweets for you. The app’s permissions make no mention of sending out DMs.
But by using the ‘d twitter_username message‘ command, it is able to send DMs from the user’s account anyway. TNW apparently tested out the vulnerability and was able to have DMs sent from a user’s profile using Twitpic.
The discovery is certainly worrisome because it means that virtually countless Twitter-related apps can perform this activity. Although a number of apps block the action and return an error, apps like Twitpic allow it. The worst part is that users rarely notice the DMs sent out from their accounts, which means that they don’t get to discover it most of the times.
Moreover, when an app sends out a DM from a user’s account, the recipient doesn’t know that the message is from the app. Rather, the message is made to appear as if it is from the user himself. This way, apps can be used to launch phishing attacks on Twitter accounts.
Twitter has aparently been aware of the functionality for some time now. Although the company has ignored the issue until now, one hopes that the renewed noise over it will persuade Twitter to reconsider that.