![Twitter OAuth Bug Leaves Direct Messages at Risk [UPDATED]](https://helios-i.mashable.com/imagery/archives/06A88tJr11cmBQD3ALWhPGf/hero-image.fill.size_1248x702.v1647019985.jpg)
UPDATE: Twitter has responded to our inquiry with a statement. Twitter is fixing the error, though it turns out to have been more of a short-term foresight than a hole.
Dutch developer Simon Colijn (@simoncolijn) contacted Mashable with some disturbing information about the actual access level third-party Twitter applications might have to users' information, including direct messages.
Unless explicitly requested and granted, third-party apps aren't supposed to be able to do things like post tweets or access direct messages. What Colijn has found, however, is that direct message -- both to messages sent and to messages received -- can be accessible to those third party apps.
Colijn whipped up a third-party app to show the vulnerability in action and we tested it with a newly created Twitter account. Sure enough, Colijn's app was able to show us direct messages we sent to other users and that we had received. Scary stuff.
TechCrunch has done some additional research and hypothesizes that this authorization leak might be the result of some planned changes regarding the ways that Twitter devs can request access to account information and what information users can give those apps.
We're still trying to understand the technical issues surrounding the API and and OAuth, but that theory appears to be true. In this case, what happened is that Twitter has pushed back its DM enforcement date -- a date that will shut off DM access from all apps that don't need it -- but the company hasn't pushed back the rollout of its authorization screens. So what users see isn't exactly what they get.
TechCrunch also points out that developer Mike Robinson has created his own test app that re-creates the same authorization hole.