[jxf]

People in various forums (a couple on HN, SO, Egor's blog, Twitter itself) seem to be saying something like "this isn't really a bug".

It's definitely a bug. Twitter requires clients to ask for the DM permission before they can send DMs. With Egor's approach, clients can privilege-escalate themselves to send DMs even if they never asked for that permission (although they still need to be authorized to send tweets).

Also, even worse, Twitter doesn't consider it a bug, according to the person who originally reported it (who was not Egor): https://twitter.com/DaKnObCS/status/411869431036653568

And here's a response from Ben Ward, the Twitter web lead: https://twitter.com/benward/status/411924515459850240

[jkrems]

Read the API docs, only reading DMs needs a special permission, POST direct message only needs the permissions that writing a "normal" tweet would. There's no bug here. Maybe a confusing security model, but no bug.

[voyou]

"Twitter requires clients to ask for the DM permission before they can send DMs"

Perhaps it should, but it doesn't - apps can use the normal API to send DMs without asking for the special DM permission. So the use of the "d" command through the API isn't a vulnerability (it doesn't let anyone do anything they aren't supposed to be able to do), even if it is weird.

[pothibo]

This kind of bug falls in grey area I believe. It's more a legacy feature that should be turned off.

Nonetheless, I think it's wrong to have that feature still working.