Many websites and mobile apps let you use your Twitter account to log in to them as it makes the registration process simple and easy. However, due to a privacy flaw in Twitter, these third parties can get access to your direct messages in Twitter.

A search marketing consultant Rishi Lakhani observed this flaw when he was using his Twitter account to sign up with Inbound, a digital marketers’ forum. At the time of login, he got a warning that Inbound will be able to read his direct messages.

Lakhani demonstrated this flaw to Business Insider on a Twitter account created by them. Although he did not have its password, he was able to alter the profile of the account and also receive and send direct messages.

Many websites or apps use the Twitter API (Application Program Interface) to create an auth. login so that the user doesn’t need to sign up separately. When a developer creates a ‘login’ with Twitter access, he has to allow one of the following three permissions to the website or app.

  • Read Only
  • Read Write
  • Read Write DM

This can be seen in the screenshot below:


Now, if a developer chooses the third option for his site, he would be able to read direct messages of the user who logs in. This option may expose the user to “snooping and spamming.”

This is what the authorization screen will look like:


Twitter has over 284 million active users and thousands of companies allow login to their apps and websites through Twitter. As Lakhani says in his website:

A clever spammer could use this tool to their advantage, as it allows some real control over an accounts actions. For example, by time noting user activity, it could be possible to use the account to tweet links for traffic etc when the user is least likely to be using the account, and then delete them. the same goes for DMs.