> I wrote a full disclosure post 5 minutes after finding the bug because twitter doesn't reward "bounty hunters".<p>Companies without bug bounties don't deserve responsible disclosure? Twitter has a pretty clear way to reach them, and recognition is given on their page. If recognition isn't sufficient for responsible disclosure, how much money would be enough? I think bug bounty programs are great, but I don't think they should be mandatory.<p><a href="https://about.twitter.com/company/security" rel="nofollow">https://about.twitter.com/company/security</a>
People in various forums (a couple on HN, SO, Egor's blog, Twitter itself) seem to be saying something like "this isn't really a bug".<p>It's definitely a bug. Twitter requires clients to ask for the DM permission before they can send DMs. With Egor's approach, clients can privilege-escalate themselves to send DMs even if they never asked for that permission (although they still need to be authorized to send tweets).<p>Also, even worse, Twitter doesn't consider it a bug, according to the person who originally reported it (who was not Egor): <a href="https://twitter.com/DaKnObCS/status/411869431036653568" rel="nofollow">https://twitter.com/DaKnObCS/status/411869431036653568</a><p>And here's a response from Ben Ward, the Twitter web lead: <a href="https://twitter.com/benward/status/411924515459850240" rel="nofollow">https://twitter.com/benward/status/411924515459850240</a>
It only allows you to send DMs to those users you can already message - which is a small mercy.<p>This part of Twitter's "Get Better" problem - where they've allowed SMS commands to be activated via non-SMS interfaces - <a href="http://techcrunch.com/2012/05/26/twitter-get-better/" rel="nofollow">http://techcrunch.com/2012/05/26/twitter-get-better/</a><p>Of course, it doesn't help that Twitter's permissions system is really poorly thought out. An app which only wants to read your Tweets also has WRITE access as well.
Isn't a bug according to twitter employers:<p><a href="http://twitter.com/jmhodges/status/411975535703511040" rel="nofollow">http://twitter.com/jmhodges/status/411975535703511040</a>
the 'd' syntax for sending DMs has been around from nearly the beginning (or from the actual beginning?) of Twitter. That in itself is not a bug. However, Twitter should be stripping that leading 'd' from anything that is reposting or from a 3rd party OAauth session.
Not sure how many hours go into finding these sorts of vulnerabilities, but his rate of $150/hour[1] seems like a steal compared to the lost revenues he can prevent.<p>[1] <a href="http://www.sakurity.com/" rel="nofollow">http://www.sakurity.com/</a>
This is in line with a long laundry list of horribleness about user experience as related to DMs in my opinion. They don't work as expected, and quite honestly to me it feels like Twitter is running a campaign to destroy peoples' love of the DM in search of a Solution, maybe in preparation for a dm 2.0 or something.<p>Some of the experience elements of DM have been fixed on the iPhone, but last I checked, the problems on web desktop made me so annoyed that I stopped using DMs altogether.
Come over to App.net. It will be a while before the masses ruin that.<p>Free invite link >> <a href="https://join.app.net/from/fjjgdclsjq" rel="nofollow">https://join.app.net/from/fjjgdclsjq</a>