Twitter Vulnerability Exposed

The XSS security issue allows attackers to inject malicious code into Web pages, including HTML and client-side scripts.
Twitter has suffered from a series of security incidents in recent months. Last week, about 750 Twitter accounts were hacked and used to send tweet spam.

About the same time, The Washington Post reported that Twitter had fixed an SMS spoofing vulnerability identified by James that was nearly identical to one reported to the company by another security researcher back in April 2007.

In January, 33 Twitter accounts associated with celebrities were hacked.

That same month, Twitter said it was conducting a full security review of all access points to Twitter. To date, it has not provided an update on its findings.

In July, security researcher Aviv Raff said that Twitter suffered from a vulnerability that allowed an attacker to force victims to join his or her Twitter follow list automatically.

Twitter's surging popularity only increases its attractiveness as a target for cybercrime. And the service's basic design amplifies the problem. "The structure that Twitter uses makes it the perfect architecture for spreading something virally," said Wastl. As with social networks, the feeling that one is among friends on Twitter may lead to insufficient caution.

According to James, Twitter encourages unsafe security practices, like the use of URL redirection and presenting links in a way that promotes trust that may not be deserved.

"It breeds bad human behavior to serious security problems," said James.

InformationWeek Analytics has published an independent analysis of the challenges around setting business priorities for next-gen Web applications. Download the report here (registration required).

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing