A security loophole in Twitter can give website developers easy access to users' private direct messages, messages that are exchanged between two people and not meant to be shared on Twitter or with anyone else, according to a report....
Search engine and security specialist Gary-Adam Shannon writes on SearchEngineWatch.com that "worries" about such access "have been floating in the Twitter streams of late. Many have voiced concerns about privacy breaches by applications that log users in to Twitter or access their account. Turns out, those fears are well founded. The Twitter API can be exploited quite easily and let anyone gain access to your direct messages."
The access can be granted when a user logs into Twitter or a site that uses Twitter and requires your Twitter user name and password.
Twitter's API allows developers access to lots of neat information, Shannon wrote. "You can send messages, update statuses and do whatever you so please. Sure, there are some permission settings available for developers but few users read this stuff anyway."
"Personally, I don't care to read direct messages. However, I can see it being useful for list harvesting," Shannon wrote. His recommendation on how to deal with the loophole?
"Don't let applications log you in. Average users really don't know what they're doing and it's really easy to automatically hit the big 'accept' buttons online or during a software installation. But in this case it could be the equivalent of hitting 'Install' on a spyware application.
"To be fair, even the geeks do it. How many of you actually read the terms and conditions to the last application you installed, or website you signed up to?
Be aware of what you're granting access to, whether it's on Twitter, Facebook, or any other site. Be smart about what you give access to, or else your private data will no longer be private.