Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/27/2009
03:54 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attack Of The Tweets: Major Twitter Flaw Exposed

U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet

A newly exposed cross-site scripting (XSS) vulnerability in Twitter lets an attacker wrest control of a victim's account merely by sending him or her a tweet.

U.K. researcher James Slater reported the serious flaw earlier this week, and now says Twitter's fix in response to his disclosure doesn't actually fix the problem. "It seems they've made a pretty amateurish attempt to fix the issue, completely missing the massive problem staring them in the face," Slater said in his blog.

The attack basically exploits an input validation weakness in a field of the form used for adding third-party Twitter clients, such as TweetDeck and Twitterific. The form doesn't fully vet what can go in that box, Slater said, so an attacker can put JavaScript tags there as well as raw HTML code, for instance. "Whatever I type in that box will appear at the end of my tweets," he blogged in a follow-up post. "Anyone who sees that tweet will then be viewing that code."

The embedded code can perform any tasks the Twitter Website can perform, including redirecting a user to another page, sending tweets, changing account information, or adding or deleting followers, he said.

"Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure," Slater said.

Twitter's patch basically prevents people from putting spaces in that box, he said, which didn't go far enough. It left the door open for attackers to put any other code there, he said.

The best defense from this attack, he says, is to run a Twitter third-party client rather than logging into Twitter's Website directly, and to "unfollow" people you don't know or don't trust. "If you don't see their tweets they can't harm you," Slater blogged.

Twitter had not responded to media inquiries about the bug as of this posting.

It has been a tough summer for Twitter security-wise. Researcher Aviv Raff hosted the Month of Twitter Bugs in July, aimed at exposing vulnerabilities in third-party Twitter applications. Among other problems, Twitter was hit by a massive DDoS attack earlier this month that knocked the popular microblogging site offline for hours, and then a researcher discovered a Twitter profile being used as the command center for a botnet. The profile was sending updates and malware to bots.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13632
PUBLISHED: 2020-05-27
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
CVE-2020-13253
PUBLISHED: 2020-05-27
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
CVE-2020-13630
PUBLISHED: 2020-05-27
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
CVE-2020-13631
PUBLISHED: 2020-05-27
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
CVE-2020-4226
PUBLISHED: 2020-05-27
IBM MobileFirst Platform Foundation 8.0.0.0 stores highly sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 175207.