Attack Of The Tweets: Major Twitter Flaw ExposedAttack Of The Tweets: Major Twitter Flaw Exposed
U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet
August 27, 2009
A newly exposed cross-site scripting (XSS) vulnerability in Twitter lets an attacker wrest control of a victim's account merely by sending him or her a tweet.
U.K. researcher James Slater reported the serious flaw earlier this week, and now says Twitter's fix in response to his disclosure doesn't actually fix the problem. "It seems they've made a pretty amateurish attempt to fix the issue, completely missing the massive problem staring them in the face," Slater said in his blog.
The embedded code can perform any tasks the Twitter Website can perform, including redirecting a user to another page, sending tweets, changing account information, or adding or deleting followers, he said.
"Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure," Slater said.
Twitter's patch basically prevents people from putting spaces in that box, he said, which didn't go far enough. It left the door open for attackers to put any other code there, he said.
The best defense from this attack, he says, is to run a Twitter third-party client rather than logging into Twitter's Website directly, and to "unfollow" people you don't know or don't trust. "If you don't see their tweets they can't harm you," Slater blogged.
Twitter had not responded to media inquiries about the bug as of this posting.
It has been a tough summer for Twitter security-wise. Researcher Aviv Raff hosted the Month of Twitter Bugs in July, aimed at exposing vulnerabilities in third-party Twitter applications. Among other problems, Twitter was hit by a massive DDoS attack earlier this month that knocked the popular microblogging site offline for hours, and then a researcher discovered a Twitter profile being used as the command center for a botnet. The profile was sending updates and malware to bots.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023