Twitter authorisation misleads users
Twitter has been updating its OAuth system to allow for finer grained control of the permissions users give to third party applications regarding the actions the apps can take with their Twitter account. But Simon Colijn discovered that the implementation of this new system is somewhat incomplete and will mislead users. He created an application which demonstrates the problem.
Colijn configured his application to only request read-only access. When a user is asked to authorise the application, they are specifically told the application can only read their timeline tweets and see followers and cannot access their direct messages, see their password, post tweets, update the profile or follow new people. But that is not the case: Colijn's application can access direct messages and it displays both the user's sent and received private messages. In a TechCrunch report, another developer tested the vulnerability and confirmed it.
It appears that Twitter changed the user interface and switched on the new OAuth permissions on 1 June, but deferred enforcing the controls on direct messages till 30 June. In the interim, users are being incorrectly told they are not granting permission to access their direct messages when in fact they are.