The Social Media Channel

---

Twitter vulnerability lets apps send DMs without user permission Posted: 14 Dec 2013 11:09 AM PST Security researcher Egor Homakov has discovered a Twitter vulnerability which allows apps to send DMs without requiring explicit user permission. TNW has verified the findings and can confirm the bug. This means Twitter apps that don't ask for permission to send DMs can do so anyway. For example, Twitpic doesn't ask for access to your DMs when you connect it to your account: Nevertheless, by using the command "d twitter_username message" the app can send a DM to anyone you can normally send DMs to. The app never has to check with the user if he or she is okay with sending a DM. Here is a test message we tried to send: Here is the immediate result: It's worth noting that some apps block this functionality. Buffer, for example, gives the following error: "Sorry, direct messages can't currently be sent through Buffer." Other apps we tested, however, sent DMs without a hitch. Homakov gives three reasons as to why this is a bug: Apps are supposed to have read & write permissions to access DMs. With this shortcut, you can bypass that protection. DMs are easier to use for spam. Users are less likely to notice them being sent. DMs don't show if messages were sent via the official Twitter client or a third-party OAuth client. As a result, the flaw could be used for phishing. Per the last point, I knew my test was successful because I had a DM notification: Martin was waiting for the message and responded immediately. If Twitpic, or any other Twitter app for that matter, had sent a message on my behalf to my Twitter friends, I would not know until one of them responded or I decided to check my DMs on a whim. In other words, there's a lot of potential for abuse here. Another vulnerability researcher, DaKnOb, says he found the flaw a year ago and reported it to Twitter. The company allegedly said it wasn't something that needed fixing: @homakov I know. I told them. They said it is a Twitter feature and should be left as is — DaKnOb (@DaKnObCS) December 14, 2013 This flaw may require users to connect a malicious Twitter app to their account, but after that, they are quite vulnerable. The fact it has been known for so long without being addressed is quite worrying. We have contacted Twitter about this issue. We will update this article if we hear back. Top Image Credit: Leon Neal/AFP/Getty Images This posting includes an audio/video/photo media file: Download Now

Twitter tests showing tweets near your location on iOS Posted: 14 Dec 2013 10:34 AM PST Over the past few weeks, Twitter has been running a number of public iOS tests with many users seeing slightly different versions of the app compared to others. Today, the WSJ reports that an interesting new feature is appearing for some users that shows tweets nearby their location on a map. The 'nearby' feature shows up as one of the new timelines accessed by swiping across from the default view, a feature which was added just a few days ago. It's been possible to attach location to a tweet since 2010, but Twitter is yet to really take advantage of having that data by presenting it in a meaningful way. By adding the ability for users to see events unfolding near them, it could help with local discovery of events or disasters in almost real time but ultimately the goal is to make other users' tweets more relevant for the user. Such a feature could also could encroach on Foursquare's territory by allowing users to quickly see hot locations nearby without having to open another app. When Twitter was asked for comment it declined to comment but linked to its blog post about experiments, like always. ➤ Twitter Test Shows 'Nearby' Tweets [WSJ] This posting includes an audio/video/photo media file: Download Now

You are subscribed to email updates from The Next Web » Social Media To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google Inc., 20 West Kinzie, Chicago IL USA 60610