Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/27/2009
03:54 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Attack Of The Tweets: Major Twitter Flaw Exposed

U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet

A newly exposed cross-site scripting (XSS) vulnerability in Twitter lets an attacker wrest control of a victim's account merely by sending him or her a tweet.

U.K. researcher James Slater reported the serious flaw earlier this week, and now says Twitter's fix in response to his disclosure doesn't actually fix the problem. "It seems they've made a pretty amateurish attempt to fix the issue, completely missing the massive problem staring them in the face," Slater said in his blog.

The attack basically exploits an input validation weakness in a field of the form used for adding third-party Twitter clients, such as TweetDeck and Twitterific. The form doesn't fully vet what can go in that box, Slater said, so an attacker can put JavaScript tags there as well as raw HTML code, for instance. "Whatever I type in that box will appear at the end of my tweets," he blogged in a follow-up post. "Anyone who sees that tweet will then be viewing that code."

The embedded code can perform any tasks the Twitter Website can perform, including redirecting a user to another page, sending tweets, changing account information, or adding or deleting followers, he said.

"Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure," Slater said.

Twitter's patch basically prevents people from putting spaces in that box, he said, which didn't go far enough. It left the door open for attackers to put any other code there, he said.

The best defense from this attack, he says, is to run a Twitter third-party client rather than logging into Twitter's Website directly, and to "unfollow" people you don't know or don't trust. "If you don't see their tweets they can't harm you," Slater blogged.

Twitter had not responded to media inquiries about the bug as of this posting.

It has been a tough summer for Twitter security-wise. Researcher Aviv Raff hosted the Month of Twitter Bugs in July, aimed at exposing vulnerabilities in third-party Twitter applications. Among other problems, Twitter was hit by a massive DDoS attack earlier this month that knocked the popular microblogging site offline for hours, and then a researcher discovered a Twitter profile being used as the command center for a botnet. The profile was sending updates and malware to bots.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...