Twitter Vulnerability Exposed

The XSS security issue allows attackers to inject malicious code into Web pages, including HTML and client-side scripts.

Thomas Claburn, Editor at Large, Enterprise Mobility

March 20, 2009

3 Min Read

Twitter is vulnerable to a serious cross-site scripting (XSS) vulnerability that could allow an attacker to hijack users' accounts or, in conjunction with other exploit code, compromise their computers.

Proof-of-concept exploit code has been posted by Secure Science researchers Lance James and Eric Wastl. They say that Twitter has been notified but has not yet responded to them.

The proof-of-concept code page offers those clicking on the link a choice of whether they want to be exploited or not. Those who accept will trigger the exploit, causing the message "I just got owned!" to be posted to the Twitter XSSExploits account.

Twitter did not immediately respond to a request for comment.

"The vulnerability is still active," said Wastl. "Basically, we produce a link and if a Twitter user clicks on it, it allows us to hijack their accounts."

XSS vulnerabilities allow attackers to inject malicious code into Web pages, including HTML and client-side scripts. They can be used to bypass access controls, steal information, and conduct phishing attacks.

James cautions that XSS vulnerabilities should be taken seriously because they can reach beyond Web pages. "A lot of people think XSS is limited to the Web," he said. If there's another vulnerability in the victim's browser, the Twitter flaw could be used to launch additional malicious code, he explained.

This is particularly germane to Twitter users because so many of them rely on specialized third-party Twitter browsing applications, which aren't subjected to the security scrutiny given to major Web browsers. Twitter has suffered from a series of security incidents in recent months. Last week, about 750 Twitter accounts were hacked and used to send tweet spam.

About the same time, The Washington Post reported that Twitter had fixed an SMS spoofing vulnerability identified by James that was nearly identical to one reported to the company by another security researcher back in April 2007.

In January, 33 Twitter accounts associated with celebrities were hacked.

That same month, Twitter said it was conducting a full security review of all access points to Twitter. To date, it has not provided an update on its findings.

In July, security researcher Aviv Raff said that Twitter suffered from a vulnerability that allowed an attacker to force victims to join his or her Twitter follow list automatically.

Twitter's surging popularity only increases its attractiveness as a target for cybercrime. And the service's basic design amplifies the problem. "The structure that Twitter uses makes it the perfect architecture for spreading something virally," said Wastl. As with social networks, the feeling that one is among friends on Twitter may lead to insufficient caution.

According to James, Twitter encourages unsafe security practices, like the use of URL redirection and presenting links in a way that promotes trust that may not be deserved.

"It breeds bad human behavior to serious security problems," said James.

InformationWeek Analytics has published an independent analysis of the challenges around setting business priorities for next-gen Web applications. Download the report here (registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights