The app asked for permission to post on their behalf, wich it did
Demonstrating something that is or at least should be obvious to most people, a Dutch teenager, Damien Reijnaers who's 16, managed to get 20,000 Twitter accounts to post what he wanted. There was no hacking, not even a scam, rather he simply asked for permission.Well, an app he created asked for permission to which all users agreed without hesitation. The app was supposed to tell users if they were a good match with another, based on their profiles.
In fact, the app tweeted “How badly people manage their Twitter accounts... Regards, Damien Reijnaers.” This isn't proving much really, other than the fact that the teenager knows how to get attention.
There's no security flaw, not even social engineering. The app model comes with an implicit trust, one we may be too willing to give, but one without which the modern Internet would not work.
Even the people who read the permission requirements for apps end up agreeing to them even if they're not comfortable with the idea, since they want to use the app.