Egor Homakov
[ Gunther ]
@homakov Interesting trick sir.
Twitter trick - you can ask your readers to tweet about your post, but in fact send a DM. Example https://twitter.com/intent/tweet?text=d+homakov+u+smart …
-
-
@DaKnObCS disclosure post? what twitter said btw? -
@homakov Twitter declared it a feature added originally for SMS and then left on web version -
@DaKnObCS do you understand where the vulnerability is? That oauth apps can send DMs w/o permission to do that -
@homakov I know. I told them. They said it is a Twitter feature and should be left as is -
@homakov More specifically an employee told me “OAuth DM permission is for read access” -
@DaKnObCS WTF. Are they crazy. so, technically, Write access to /direct_messages should come by default with timeline access -
@DaKnObCS this feels so broken isn't it. Like texting your friends about borrowing money, which is not what apps should do. omg -
@homakov I was told DM access is only needed to read. (I reported this like 10 times hoping one will get through) -
@DaKnObCS that's fun! now i don't feel any sadness about full disclosure because those guys seem crazy :| -
@homakov That’s what I thought. I discovered it by accident as I was messing with the API and I couldn’t figure out what *I* did wrong :P -
@DaKnObCS hah, so you fuzzed "d name text" good job. I wonder if they have other commands built in -
@homakov Not as far as I know, but what stops you from trying the entire alphabet and figuring out the arguments? :P -
@DaKnObCS why, i will end up with "it's a feature" anyway :D
DaKnOb
Ben Ward