Scroll down to the bottom, then tap on Log out.On the menu, tap on Settings and privacy.While on the Twitter Mobile homepage, tap on your profile icon.If you no longer have the authentication app or the mobile number set up, then you may not be able to log back in to your account. Do note that if you’re using two-factor authentication, make sure you still have access to the method you used. If you can open your Twitter app, but it crashes while you’re using it, you might need to try to reset your current log in info to try and fix the error. Open Twitter mobile to see if the errors persist.To prevent this, make sure that you have the proper time zone on your device. In the most extreme cases, it may cause the application itself to crash. There are no actions people need to take at this time.įollow on Twitter for the latest computer security news.Twitter requires that your time zone settings are set up correctly, otherwise, your login may show up as unauthorized, or your username and password may be considered invalid. To our knowledge, there was not a breach of anyone’s information due to this issue. We do not believe anyone was mislead by the permissions that these applications had or that their data was unintentionally accessed by the Twitter for iPhone or Twitter for Google TV applications as those applications use other authentication flows. From its summary on the HackerOne report: Twitter agrees and said that users don’t have to lift a finger: there’s no danger of our DMs being intercepted. Given that most apps request DM access – and that most people don’t read warning screens – it is unlikely that anyone was mislead by it. It would have been a difficult attack to pull off, he said:Īn attacker would have had to convince you to click on a link, sign in, then type a PIN back into the original app. Twitter fixed the bug on 6 December, announced that it was paying Eden a bounty of $2,940 and gave him the go-ahead to publish the details of his report.Įden told media outlets that by using his proof of concept, he was able to read his own direct messages, along with those of a dummy account he had created. After Eden clarified some points for Twitter, it accepted the issue on that same day. But they do!Įden submitted his findings via HackerOne on 6 November. Eden:įor some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. The dialog was erroneously telling the user that the app couldn’t access direct messages, though it could. That’s the spot where the bogus OAuth information was being fed to the user, Eden said. “You log in, it provides a PIN, you type the PIN into your app,” and the app is authorized to read your Twitter content, Eden explained. For those situations, Twitter provides a secondary, PIN-based authorization method. The problem is, not all apps have a URL, or support callbacks, or are, in fact, actual apps. In other words, a developer can’t use the API keys with their app. After the apps successfully login, they then return only to a predefined URL. Tragic!Įden explained that Twitter put in place some safeguards following the publishing of its OAuth keys and secrets, the most important being that it restricts so-called callback addresses. You authorise it – whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. You look through the permissions – phew – it doesn’t want to access your Direct Messages. It asks you to sign in via OAuth as per usual. You’re trying out some cool new Twitter app. Imagine the airing of dirty laundry that could ensue, Eden said: The bug involved the OAuth screen saying that some apps didn’t have access to users’ Direct Messages… which was a lie. Years later, the chickens are still coming home to roost: on Friday, researcher Terence Eden posted about finding a bug in the OAuth screen that stems from a fix that Twitter used to limit the security risks of the exposed keys and secrets. Back in 2013, the OAuth keys and secrets that official Twitter apps use to access users’ Twitter accounts were disclosed in a post to Github… a leak that meant that authors didn’t need to get their app approved by Twitter to access the Twitter API.
0 Comments
Leave a Reply. |