Last Friday, June 10, was a stunning day and a real ‘wow’! It all started with the research of the Twitter OAuth technique for Statusboard, which a website uses to connect a third-party application with Twitter. The user authorizes the app on a specific level while connecting. Since May 17 these levels changed from two to three levels.
The most important change is the authorization of your private messages, both send and received Direct Messages. Since the change these private messages are stored in level 3, named: ‘Read, Write, & Private Message’.
When a developer connects his application to an existing account, he is able to choose a preferred level which are clearly shown. This level of authorization is also visible to the user when he authorizes the application. But here the user is mislead and will eventually authorize the application in a way he did not know.
While testing the Twitter OAuth technique I made a simple test with an application which uses Authorization level 1, ‘Read Only’. So the user will only grant access to all his information to be read, except for his private messages. This description is for all clear to see and a developer can’t change this authorization since it’s on twitter.com.
However, my application does has access to all your private messages and I’m actually able to store and share these messages; without any unusual script or hacks. Why? The user gave me access ..... or did Twitter?
That’s the bug, leak, privacy hole, big problem, UI screw-up or whatever one does call it. The provided information tells the user one thing and the application does another. So it’s clear that the level of authorization is a bit of a problem here and the user provides the application with all his private information. I made the test which let the user authorize my application and after the redirect from Twitter it shows the timeline & mentions (which are open), but also both send and received messages; which are private. This is a great way to show the users how serious it is, and it works for any random user!
When I discovered this I was actually flabbergasted and thought I made a mistake, maybe in the backend of the application. Double-checking and another test, made me conclude Twitter’s OAuth connection got a privacy leak and this has to change. I can’t use this connection for reading someone’s timeline when having in mind their private messages are all accessible without any authorization. I tweeted about it before setting up the test-page.
What to do? I’m ‘just’ a dutch developer and Twitter is one of those giant companies overseas. Gladly I was supported by the Supersteil team and eventually I tweeted about it and contacted some great, well visited, sites in the US. Since I’m dutch I also mailed Tweakers, a dutch site, and they phoned me for my story. It all went very quick; Skyping with some serious people, talking on the phone and sharing it on Twitter.
Within hours articles about the discovery are written on sites like Mashable , Techcrunch, Tweakers, Twittermania and of course shared on Twitter. People reacted on the story, shared the articles 1000+ times and also shared my test to warn other users in the timeline.
After a while Twitter responded on the story by telling us they’re still in this shift from two to three levels and this transition is extended until the end of June.
Beside that I read a reply from Matt Haris ; Developer Advocate at Twitter which linked to the Twitter application permission model. This tells us it all changed the end of May.
It is also told the information shown in the UI isn’t equal to the authorization level of the application, which confuses us even more. Does did mean they just slack in precision or do they just don’t care that much? I thought user-privacy was a big thing!?
Conclusion: Twitter knew about it all the time and it’s a lack of precision & privacy-control. They wrote the authorization had to be changed from two to three levels but part of it is uploaded en part of it just wasn’t ready to be used. We just take that for granted, but maybe it actually is a bug or leak.
The most shocking thing is, Twitter is not changing anything beside adding two lines of text to the authorization. The application any user authorized from June 1 till June 10 is able to read all your privacy without any user-authorization. Imagine millions of users using multiple applications and trying out new apps on a regular base: these users didn’t know anything about the lack of privacy-control and just trusted what they have been told at the screen.
Some stats from that day:
3 responses from Twitter
2000 story retweets
4.000.000+ twitter users reached
1000 search google results on ‘Twitter OAuth Bug’
2.319 page visits
353 OAuth tests done
7 languages written, even Japanese
1 goal completed
And that was only the first day from midday on! My goal is completed and Twitter and it’s users are informed. So check out your authorized apps and think twice before clicking that button!
Comments on Twitter Authorization Bug: Story & Stats