• United States



Twitter: Who is reading your DMs? There’s an app for that…

Oct 18, 20107 mins
Data and Information SecurityEnterprise ApplicationsMicrosoft

Your "private" direct messages can be read by any third party app to which you've given Twitter OAuth permission.

Twitter is great way to share information and find likeminded individuals, as well as a great way for mining personal data or social engineering. Like most social media, it can be used for good or for evil and has a plethora of privacy and security issues. Do you remember that DM from six months ago? Well your third party app does.

Twitter uses Open Authorization (OAuth) that allows users to hand out tokens instead of a username and password for granting a third party site access to the user’s information. Many sites have incorporated OAuth protocol like Twitter, Facebook, Yahoo, Google has OAuth support for Gmail and even Microsoft added OAuth 2.0 as an option for accessing its Azure cloud platform. OAuth 2.0 is the newest version of OAuth protocol but it is not compatible with OAuth 1.0. When talking of OAuth 2.0, one of the OAuth creators, Yahoo director of standards development Eran Hammer-Lahav, blogged, “The OAuth community has made a big mistake about the future direction of the protocol.” Yahoo social and developer platform chief architect Subbu Allamaraju posted about an OAuth security flaw. He wrote, “while OAuth 2.0 is a step in the right direction, the approach would be would be susceptible to man-in-the-middle attacks where a malicious party could gain access if it intercepts a token.”

In case you are not on Twitter, then a Direct Message (DM) is a supposedly private message that can be sent between two Twitter users with accounts who follow each other. These DMs show up for the recipient and not in the main Twitter feed. Many people do some serious DMing, but since it is limited to 140 characters, then email addresses are often privately exchanged in a DM. This makes DMs a rich target for spammers, scammers, and anyone else who might wish to harvest those email addresses.

Mike Champion, the VP of engineering at Twitter app directory Oneforty, blogged on Twitter permissions and security. In regard to Direct Message Privacy, Champion asked, “Do you consider your DMs private? People increasingly use DMs like short emails or IMs and assume it is a private channel between two people. In reality any app you have granted access can read all of your DMs.” In additional, Champion warned that if an app can get your token with full-write access, then it could be evil in a number of ways: “Unfollow all your friends – Or follow all sorts of spam or embarrassing accounts. Send out DM spam as you – Your friends would likely click on a shortened link you DM them. Delete your tweets.” He then recommends a service to backup tweets.

I tried one such backup service, BackupMy.Net which was available for *free* if you allowed the app to tweet a recommendation from your twitter account. While that is better than a pushy app that tweets without notification, a person should think about if the app is truly trustworthy for read-write access. If you agree, the backup grabs all available tweets –up to a 3,200 limit. I tried this in terms of what might be used by data miners or other programs with software designed to identify social cliques you didn’t even know you had. After running my tweets through a few programs, Wordle gave me a picture of what words I most used, therefore the most important to me as a privacy and security watchdog.

We who social network are often on information overload. Hashtags are a superb way to find other tweeters with the same interests such as #privacy or #security. “According to RowFeeder, the term ‘security’ is tweeted ~736 times an hour,” tweeted IBMFedCyber. There are many ways to check on hashtags that are important to you, such as Tweet Volume which shows that privacy was tweeted 34,900,000 times in the last year.

To find links between people, other interesting people to follow, or tweeters who use the same hashtags as you do, the mentionmap is one of my favorites. It shows a visualization that runs in your browser to display data from the Twitter API. Mentionmap helps you, or anyone, to explore your Twitter network and subnetworks. The graph visualization displays profile images, usersnames and hastags. You might find some great new friends, or you might find you are “connected” to some people that you wish you were not. Businesses, enterprises, or brand names may even see how they are being represented by tweets. The lines drawn between nodes are thicker if users talk more often and hovering on the line can reveal the exact number of mentions. The appearance of each node changes depending on its distance from the selected user or hashtag.

You also might take a look at your tweets to see which ones came from a third-party application. The name of the source will be to the right of the time-stamp like “via web” or “from Flickr” or “via Twitter for iPhone.” There are only two types of account access authorizations: read-write or read-only. In either case, the app that has been granted permission to a Twitter account, can read all DMs. Most developers don’t want to read your DMs, but why leave all those third party apps with permission to your Twitter account?

We know to be careful about clicking since malware is everywhere, but many people have had their accounts hacked because an app was taken over by malicious people. If that happens, then you have to take care of damage control to your compromised account. People are generally ticked to have been spammed with DMs or to have clicked on a link that led to malware. It’s not so easy to repair the damage to your reputation, even if you didn’t personally do it but a third party app run by a cybercriminal did.

You can sign in to your Twitter account, click on Settings and then Connections. This will show all the third party apps that you have approved. It also will show the type of access, read-only or read-write. If you are no longer using an app, or don’t even recall using it, or if it seems at all odd, then simply revoke access. OAuth 2.0 was intended for designers of Web applications and not all of them are security experts. You can always give an app permission again if and when you decide to use it.

Lastly, from a privacy angle…tweets are not private. Twitter started transferring all tweets to the Library of Congress on 10/10/10. Any tweet that is 6 months or older will be saved forever. But if you want to tweet without ending up archived by the U.S. government, there is a way. If you add #noloc as a hashtag, when that tweet turns 23 weeks old, will delete it automatically before that tweet is transferred to the Library of Congress.

Like this? Check out these other posts:

  • All of today’s Microsoft news and blogs
  • Microsoft Proposes Each PC Needs A Health Certificate or No Net Access Allowed
  • EFF Warns of Untrustworthy SSL, Undetectable Surveillance
  • Microsoft’s Davis on Privacy: Your Digital Life Data is Bankable Currency
  • ACLU Report: Spying on Free Speech Nearly At Cold War Level
  • BLADE: Software Weapon to Cut the Wicked Heart out of Drive-by Malware
  • Facial recognition: Identifying faces in a crowd in real-time
  • Microsoft’s Live@edu email not encrypted on cloud servers
  • Cyber-Warfare: U.S. Military Hackers and Spies Prepare to Knock the World Offline
  • Privacy Choices: Who’s Watching You and Tracking Your Clicks?

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.