Third Party Apps Could Read Twitter Messaging

According to the company, no one used this vulnerability and the issues is now solved
18 December 2018   697

Until the beginning of December, third-party applications could access Twitter private messages. According to the company, no one took advantage of this vulnerability. Terence Eden, who found it, was paid almost $ 3,000 under the Bug Bounty program.

In 2013, there was a leak of keys to the Twitter API - so applications could access the interface bypassing the social network. To protect users, Twitter implemented an application authorization mechanism through predefined addresses (Callback URL), but it didn’t suit everyone.

Applications that do not support Callback URLs could authenticate using PIN codes. With this authorization, a window pops up that lists which data the user opens to access. The window did not request access to private messages, but in fact the application received it.

On December 6, Twitter reported that it had solved the problem. Judging by the statement of the company on the HackerOne website, no one had time to take advantage of this vulnerability.

This is not the first social network security error related to the API. In September, Twitter discovered a bug in AAAPI (Account Activity API): the system sent a copy of the user's personal message to a random recipient.

Bootstrap 3.4.0 to be Out

The project team is focused on developing Bootstrap 4.2, so the current version didn’t get as many changes
17 December 2018   505

Bootstrap 3.4 is out - a free framework for creating websites and web applications. The project team is focused on developing Bootstrap 4.2, so the current version didn’t get many changes. In particular, the documentation has been updated, the problem with the XSS vulnerability has been fixed, and the Algolia search function has been added.

New features in the tool:

  • The developers added a new class .row-no-gutters, the ability to search for documents through Algolia and the addition to .navbar-fixed- * when opening a pop-up notification.
  • An issue with vulnerability to XSS attacks in Alert, Carousel, Collapse, Dropdown, Modal and Tab components has been fixed.
  • The developers have removed the double frame in the <abbr> elements. In addition, they refused to support dragging and dropping from the customizer and creating in the Gist web customizer, since GitHub had long since disabled this feature.

What has changed in the documentation

  • Developers have added a drop-down menu for new and previous versions to the documentation navigation.
  • The library for copying text to the ZeroClipboard clipboard was replaced with clipboard.js, and the testing was transferred to BrowserStack.
  • Reorganized CSS v3 documentation to use Less.
  • baseurl replaced by/docs/3.4/.
  • Updating links will allow you to open them only via HTTPS and fix broken URLs.

A detailed description of all the features of Bootstrap 3.4.0 is available in the official documentation. To upgrade to Bootstrap 3.4.0 using the npm package manager, thenpm i bootstrap @ previous or npm i bootstrap@3.4.0 commands are provided. Upgrading to this version via Bower is not available.