I knew… I still have to give this story some day. Like Twitter is a site that today is full of security holes, it is time that everyone feared: one failure can give control of DMs sent and received for malicious users. You know those classified information that no one should know? Be careful, they can become public.
The warning was given by Gary-Adam Shann, a security expert who analyzed the way applications can interact with the microblogging service blue bird. According to Shann, it would be very easy to get access to a person of DMs. Therefore, it would be enough to create an application that requires authentication within Twitter. From there, a malicious user would have access blessed DMs and make it public – or do whatever he wanted with them, to tell the truth.
Unlike the last failures which affected the Twitterand Orkut, this kind of operation would not involve XSS techniques, in which a code stored in a third-party server is run by the browser from a tweet or scrap. Instead, it would be necessary to have access to the API – which is public – Twitter, the way in which applications can pull information from within the user’s account.
Shann basically describes what applications like TweetDeck and Echofon already do: offer a prettier interface, but exploiting the features of Twitter. With these apps you can receive and send DMs, which proves that developers could have access to such information.
In the case of security expert have a plugin for WordPress that once modified, would cause any interaction with the site made from authentication to the website resulted in obtaining the user DMs. These direct messages could be safely sent to the e-mail the website owner, quite simply.
Twitter has not yet manifested on the point raised by the specialist.