The XSS security issue allows attackers to inject malicious code into Web pages, including HTML and client-side scripts.
Twitter is vulnerable to a serious cross-site scripting (XSS) vulnerability that could allow an attacker to hijack users' accounts or, in conjunction with other exploit code, compromise their computers.
The proof-of-concept code page offers those clicking on the link a choice of whether they want to be exploited or not. Those who accept will trigger the exploit, causing the message "I just got owned!" to be posted to the Twitter XSSExploits account.
Twitter did not immediately respond to a request for comment.
"The vulnerability is still active," said Wastl. "Basically, we produce a link and if a Twitter user clicks on it, it allows us to hijack their accounts."
XSS vulnerabilities allow attackers to inject malicious code into Web pages, including HTML and client-side scripts. They can be used to bypass access controls, steal information, and conduct phishing attacks.
James cautions that XSS vulnerabilities should be taken seriously because they can reach beyond Web pages. "A lot of people think XSS is limited to the Web," he said. If there's another vulnerability in the victim's browser, the Twitter flaw could be used to launch additional malicious code, he explained.
This is particularly germane to Twitter users because so many of them rely on specialized third-party Twitter browsing applications, which aren't subjected to the security scrutiny given to major Web browsers.
Social is a Business ImperativeThe use of social media for a host of business purposes is rising. Indeed, social is quickly moving from cutting edge to business basic. Organizations that have so far ignored social - either because they thought it was a passing fad or just didnít have the resources to properly evaluate potential use cases and products - must start giving it serious consideration.
Social is a Business ImperativeSocial media is critical in the age of digital business. How can IT help? First, work with the marketing team to set up social networking programs on Facebook, Twitter, and LinkedIn, at minimum. Then work to put social media sentiment analytics in place to measure success.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.