Saturday, December 14, 2013

How to send DM on Twitter w/o permission

I just recalled "SMS commands" feature and tried to send a DM (private, direct message) with "Share on Twitter"-button. It works!

But you know what's really cool? ANY app can send a DM on behalf of your account, by sending to API "d NAME TEXT". I just tested with Twitpic, as you can see it doesn't require any DM permissions.


Another guy claims he reported it before and twitter refused to fix.

Why is it a bug?
1) App is supposed to have Read & Write permission to access DMs. With this shortcut you can bypass that protection
2) DMs are easier to use for spam. User will barely notice it.
3) Also DMs don't show if it was sent with official client or a 3rd party OAuth client. Which is great for phishing.

API docs:
[no permission] https://dev.twitter.com/docs/api/1.1/post/direct_messages/new
[warns about permission] https://dev.twitter.com/docs/api/1.1/get/direct_messages/show

20 comments:

  1. You hope this post justifies your recent chunk of messages to my account?

    ReplyDelete
  2. verified that it works by sending you a DOGE by DM!

    ReplyDelete
  3. Is this news? That is the classic syntax for DMs as it was when DM were introduced. Back then there was just one input field and everything had to fit in the 140 characters. No embedded images and shortened urls and stuff like that.

    ReplyDelete
    Replies
    1. Vulnerability is any oauth Client can send a DM with ability to send only regular tweets in public timeline. Client is supposed to get special permission to send DMs, which my hack bypasses.

      Delete
  4. so just because you won't get paid means you can throw responsible disclosure right out the window?

    ReplyDelete
    Replies
    1. not always, given it's company like twitter, and they *intentionally* refuse to acknowledge guys with rewards.. It all doesn't matter because another guy said he reported it before and they refused to fix. Omg

      Delete
    2. Are you kidding me @ Anonymous? It's already fine he reported the vulnerability; what else do you want? A PDF file that explain every bit of step?

      Delete
    3. @Egor
      IIRC, the update to this post was posted after I made the comment, I think I can be forgiven for not knowing someone else had reported it.

      That being said, rewards are a new-ish thing; for a long time, security researchers weren't rewarded with anything more than an acknowledgement. Occasionally, they'd be offered a job but more often than not, an acknowledgement is all they'd get.

      To *expect* a reward is like a waitperson *expecting* a gratuity at a restaurant (where gratuities are common, that is). It's called a gratuity for a reason.

      Responsible disclosure is the name of the game in security research; it doesn't take a whole lot of effort to wait a couple of days before reporting to the world at large.

      @Anon
      It would've been nice to see industry-standard responsible disclosure being practiced. As a twitter user myself, suppose twitter really did care about this bug; I'd prefer it fixed before the world (including spammers) at large knows about it.

      Delete
    4. No more free bugs. Valuable find. If you aren't reimbursed for the value, why not do what you wish? Hippy.

      Delete
    5. This comment has been removed by the author.

      Delete
    6. @Anon If you expect a reward then get a job working for a security research company; otherwise, you are a volunteer and since when have volunteers been guaranteed reimbursement? And as for "do[ing] what you wish", I'm not even going to address that absurdity.

      Delete
    7. Lulz @ security researchers are like wait staff. Author of comment obviously is not of sufficient logical capability to be a security researcher.

      Delete
    8. @Anon I was equating the expectation of a gratuity as wait staff to the expectation of a monetary reward as a volunteer. I think they're pretty equivalent situations: both are voluntarily given by the other party in the situation and the receiving party has no grounds on which to complain about the amount, if any. Given the situation for OP, this is a fair comparison.

      Delete
  5. Hard to believe it has been found only now, I'm sure someone knew this before you and made tens of thousands of dollars by exploiting the "flaw".

    ReplyDelete
  6. It doesn't work any more. I tried with Twitpic

    ReplyDelete
  7. so is it fixed now ? can you confirm Egor.

    ReplyDelete
  8. @Egor - Great find! keep it up, glad to see someone is willing to smack the PBR right out of the Twitter hipsters mitts!

    ReplyDelete
  9. doesn't work anymore.

    ReplyDelete