Applications can use the Twitter API to get you to grant them access to your twitter account without having to share your username and password. You would expect your DM’s to be excluded though by default from the information (eg. Tweets, Favs, Lists, etc) that applications can than access or at least make it configurable. Apparently this is not the case! See this blog by Tweetster.de (in German) in which they unearthed it. It means that as of day 1 any application you granted “READ + WRITE” access to your Twitter account had access to your DM’s and potentially could even send them out on your behalf…..?!?
Twitter seems to be aware and working on a solution (planned for the 30th of June) and has added a notification to the Access granting page:
I’m feeling a perfect ‘Weiner‘ – excuse popping up here. ” No sir, I didn’t put those pictures up, it was a twitter app that I authorized to access my Twitter account! It took pictures while I was drying myself after a shower without me even knowing it and posted them to my DM’s…It wasn’t me, I swear!“. Oh wait, too late, he admitted to putting them up there themselves…..
It just shows. Leave your Frankfurter out of it or the Germans will find it!
Thanks to @ThomasBahn for bringing it to my attention by tweeting about it!