IOActive researcher Cesar Cerrudo recently came across a serious security flaw in Twitter that exposed users' direct messages to third-party application developers.
"The expert noticed the security hole while analyzing a web application that allowed users to sign into Twitter," writes Softpedia's Eduard Kovacs. "When he signed in, Twitter warned him that the app would read his tweets, see who he followed, follow new people, post new tweets, and update his profile. However, there was no mention of accessing direct [messages]. Yet, Cerrudo discovered that the app was displaying all his private messages."
"I tried to quickly determine the root cause, although I had little time," Cerrudo writes. "However, I could not determine this. I therefore decided to report the vulnerability to Twitter and let them do a deeper investigation. The Twitter security team quickly answered and took care of the issue, fixing it within 24 hours. This was impressive. Their team was very fast and responsive. They said the issue occurred due to complex code and incorrect assumptions and validations."
"Cerrudo decided to make this issue public because it can have serious implications and because Twitter did not issue a public advisory or announcement about it," writes PCWorld's Lucian Constantin. "The company should maintain a dedicated page where it can inform users about security issues, he said."