CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 23rd, 2009

Flaw Makes Twitter Vulnerable To Serious Viral Attack

Micro-blogging site Twitter suffers from a potentially devastating vulnerability that forces logged-in users to post messages of an attacker’s choice simply by clicking on a link. It could be used to spawn a self-replicating worm.

The XSS, or cross-site scripting, error was discovered by Secure Sciences Corp researchers Lance James and Eric Wastl, who have fashioned this link to demonstrate their finding. Clicking on it while logged in to Twitter causes users to immediately broadcast an innocuous message to all of their followers, as this dummy account shows.

Of course, it would be just as easy to craft links that do considerably more damage. Tweets are limited to just 140 characters, making it almost mandatory to use shortened URLs that obscure their final destination. While it’s possible to preview the link before visiting, many Twitter users have grown so accustomed to them they click on them directly.

As the user base of Twitter has skyrocketed, so too have attempts to exploit the site. Hackers have waged cat-and-mouse attacks on the site using so-called clickjacking exploits that, like the XSS vulnerability exposed by James and Wastl, forced logged-in users to tweet simply by clicking on an innocent-looking button. Twitter has been quick to patch the vulnerabilities, but the hackers have been known to launch new attacks that work around the countermeasures.

More than 15 hours after this story was first published, the gaping hole remained.

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • Popular BitTorrent Client Quietly Patched An Old Zero-Day Vulnerability
  • Twitter Users Hit Once Again, This Time With Rogue Anti-virus Scam
  • New Cross-site Scripting Vulnerability On Twitter Allows Session Hijacking And Posting
  • Warez Backdoor Allowed Hackers To Steal Twitter Passwords
  • Spam From 750 Compromised Twitter Accounts Invited Users To Visit Porn Website

    • Posted in Social Networks, Spam, Vulnerabilities, XSS | Print This Post Print This Post

    This entry was posted on Monday, March 23rd, 2009 at 12:51 pm and is filed under Social Networks, Spam, Vulnerabilities, XSS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Flaw Makes Twitter Vulnerable To Serious Viral Attack

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »