He discovered the flaw while testing a web application that was still under development, but which allowed users to sign in by using their Facebook or Twitter accounts.
He chose to sign in with his Twitter account, and before doing it, was duly informed that if he did it that way the application would be able to read his tweets, post in his name, see who he follows and follow new people, and update his profile. He was also explicitly told that that the app will not be able to access Direct Messages and see his Twitter password.
"After viewing the displayed web page, I trusted that Twitter would not give the application access to my password and direct messages. I felt that my account was safe, so I signed in and played with the application," Cerrudo explained.
He discovered that the app had the functionality to access and display Twitter Direct Messages, but that it did not work because Twitter was blocking its access to his DMs.
In order to gain access, the application would have to explicitly request proper authorization:
Cerrudo says he was never faced with this page during his testing, even when he repeatedly logged out and in both the app and Twitter.
Still, after doing it a couple of times, he suddenly discovered that the app was displaying all of his Twitter DMs. He checked the app's settings and they confirmed that it had permission to read, write, and see direct messages."
He realized that this was probably due to a bug, and further investigation into the matter unearthed the fact that the first time he signed in with Twitter on the application, it only received read and write access permissions, but that this gave the application access to what Twitter displays on its "Sign in with Twitter" web page.
"Later, however, when I signed in again with Twitter without being already logged in to Twitter, the application obtained access to my private direct messages. It did so without having authorization, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages," he concluded.
After notifying Twitter of the issue, it took its security team less than 24 hours to fix it, Cerrudo concedes. Still, he notes that Twitter hasn't appraised its users of the matter.
"There should be millions of Twitter users that have signed in with Twitter into third-party applications. Some of these applications might have gained access to and might still have access to Twitter users private direct messages," he points out, and advises users to check third-party applications permissions and revoke the apps to which they never gave permission to access their DMs.