Unlike mentions, Twitter DM’s are completely private in nature and are accessible only to you and the receiver to whom you are sending the Direct message. So it’s safe to assume that Twitter DM’s are not accessible to any third party apps, which has been proved wrong by a demo Twitter app.
The fact: Some Twitter apps can access your mentions, timeline, following list and direct messages without any prior permission as such.
Ok, so where is the proof and which app we are talking here?
If you are really curious and want to see the results hands on, go to the Royal test application page, sign in with your Twitter account, grant all the necessary permissions and let the app rip off your entire history of direct messages in less than a minute. It would be wise to first create a dummy Twitter account, send a few test DM’s and then sign in with this dummy account to check whether the app can access those messages.
I tested the app with my own Twitter account and was surprised to see the app produced the entire history of all direct messages I have sent and received, since the day I created my Twitter account. Here are the results:
And here is the list of direct messages I have received on my Twitter account:
Another important thing to note here is that although I had deleted a lot of messages from my Twitter inbox, those deleted messages reappeared once I used the app. Same goes to all received messages !
If you think this is not possible at all, we have a 1 minute hands on video which shows how this app can completely fetch your DM’s:
The app authorization screen clearly states that this app won’t be able to access your Twitter DM’s. Not to forget the fact that Twitter recently changed their oauth authorization screen and added more explicit details on the data which an application can access, once you start using it.
Robin Wauters from Techcrunch writes
Twitter recently updated its OAuth screens, which are supposed to give users greater transparency about the level of access third-party applications have to their accounts. What has happened is that the new authentication model was supposed to go live on June 1st, but they postponed it to the end of June without fully realizing that the new UI for the OAuth permission screens would already be live.
As it turns out, this is a flaw in the oauth authorization screen upgrade which was scheduled for June 1st. The upgrade has been postponed till June 30th so don’t authorize any suspicious third party app whose oauth authorization page claims that they can’t access your Twitter direct messages.
If you have a lot of confidential data and important messages saved on your Twitter account, you should be really careful and double check your application settings from Twitter > Settings > Applications.
P.S: Previously we did another video discussing the vulnerabilities of Gmail, Twitter and Facebook over an https connection.