Twitter users should be careful in using their credentials to authenticate outside of the environment and especially keep track on any installed applications

QUOTE: Many Web applications allow users to sign in using their Twitter and Facebook accounts instead of creating yet another account. It is convenient for users and application developers can access user data stored on the social networking site. Cesar Cerrudo, a security researcher with IOActive, stumbled across a flaw in which these applications could wind up with higher levels of access than they should have. In a post on the IOActive Labs Research blog, Cerrudo described how he was testing a Web application (still under development) which allowed users to sign in with Twitter or Facebook. At the “Sign in” page, Cerrudo saw that the application would be able to view his public tweets, post on his account, see his followers, follow new people, and make changes to the profile. The page also explicitly stated the application would not have access to his Direct Messages or his password.

RECOMMENDATION: You should periodically audit the list of applications that have permission to access your Twitter and Facebook accounts to make sure there are no unexpected surprises. Check to make sure all the applications that are authorized are applications you added, and still need. Drop any that you don’t use anymore. Also, check the permission levels to make sure the settings are appropriate.