Are Twitter users at risk of having their accounts taken over by evildoers?
That’s the contention of Web developer James Slater, who wrote a blog post about the issue on site of U.K.-based search optimization expert Dave Naylor.
The blog post describes a “massive Twitter cross-site scripting vulnerability.”
He said hackers could exploit the vulnerability by leveraging third-party Twitter applications that rely on Twitter’s API
“Code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic Web site? Or maybe delete all of your tweets? Send a message to all of your friends?” Slater said.
Twitter did not respond to a request for comment from InternetNews.com by press time.
Slater’s report of an XSS flaw in the service comes as social networks like Facebook and microblogging site Twitter face growing privacy and security concerns amid their rapid growth.
In his post, Slater said he advised Twitter of the issue before posting his findings.
One commenter on Slater’s post identified himself as John Adams, a Twitter staffer, and wrote on Tuesday that the site had “patched this issue as of a few hours ago.”
But in a follow-up post Thursday, Slater said the cross-scripting vulnerability remains.
He said a fix implemented by Twitter only stops the user from putting spaces in the address box field.
“If it can do that, it can do a lot worse,” he said.
Slater ticked off a few tips for those concerned about the safety of their Twitter account. The first most obvious one is not to be logged in to Twitter, at least until it’s clear a fix has been implemented. But even if you’re not logged in, Slater claimed that “malicious code could still send you to other Web sites or otherwise annoy you, so it doesn’t completely fix the problems.”
He also suggested that users check their accounts and “unfollow” anyone they don’t know or don’t trust, who might be exploiting the alleged flaw.
Twitter has had its share of security issues. Earlier this month, reports surfaced that Twitter was being used to control botnets
Both Facebook and Twitter had to fend off denial of service attacksearlier this month.