The Next Web reports on a Twitter vulnerability that lets apps send direct messages without user permission.

Nevertheless, by using the command “d twitter_username message” the app can send a DM to anyone you can normally send DMs to. The app never has to check with the user if he or she is okay with sending a DM.

It’s worth noting that some apps block this functionality. Buffer, for example, gives the following error: “Sorry, direct messages can’t currently be sent through Buffer.” Other apps we tested, however, sent DMs without a hitch.

This means that third party apps can spam direct messages through your account without you knowing, unless you check your messages inbox.

It is a security concern because apps can exploit this for phishing.