Twitter Vulnerability Exposed - InformationWeek
IoT
IoT
Software // Social
News
3/20/2009
05:29 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Twitter Vulnerability Exposed

The XSS security issue allows attackers to inject malicious code into Web pages, including HTML and client-side scripts.

Twitter is vulnerable to a serious cross-site scripting (XSS) vulnerability that could allow an attacker to hijack users' accounts or, in conjunction with other exploit code, compromise their computers.

Proof-of-concept exploit code has been posted by Secure Science researchers Lance James and Eric Wastl. They say that Twitter has been notified but has not yet responded to them.

The proof-of-concept code page offers those clicking on the link a choice of whether they want to be exploited or not. Those who accept will trigger the exploit, causing the message "I just got owned!" to be posted to the Twitter XSSExploits account.

Twitter did not immediately respond to a request for comment.

"The vulnerability is still active," said Wastl. "Basically, we produce a link and if a Twitter user clicks on it, it allows us to hijack their accounts."

XSS vulnerabilities allow attackers to inject malicious code into Web pages, including HTML and client-side scripts. They can be used to bypass access controls, steal information, and conduct phishing attacks.

James cautions that XSS vulnerabilities should be taken seriously because they can reach beyond Web pages. "A lot of people think XSS is limited to the Web," he said. If there's another vulnerability in the victim's browser, the Twitter flaw could be used to launch additional malicious code, he explained.

This is particularly germane to Twitter users because so many of them rely on specialized third-party Twitter browsing applications, which aren't subjected to the security scrutiny given to major Web browsers.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll