Twitter Said to Suffer Security Flaw

Are Twitter users at risk of having their accounts taken over by evildoers?

That’s the contention of Web developer James Slater, who wrote a blog post about the issue on site of U.K.-based search optimization expert Dave Naylor.

The blog post describes a “massive Twitter cross-site scripting vulnerability.”

He said hackers could exploit the vulnerability by leveraging third-party Twitter applications that rely on Twitter’s API .

The cross-site scripting (XSS) bug in Twitter could allow hackers to, for example, insert malicious JavaScript into tweets simply by adding code to a field of an API used by third-party Twitter application developers. That code could in turn send the Twitter user to another page, change his or her account details, send tweets and add or delete followers.

“Code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic Web site? Or maybe delete all of your tweets? Send a message to all of your friends?” Slater said.

Twitter did not respond to a request for comment from by press time.

Slater’s report of an XSS flaw in the service comes as social networks like Facebook and microblogging site Twitter face growing privacy and security concerns amid their rapid growth.

In his post, Slater said he advised Twitter of the issue before posting his findings.

One commenter on Slater’s post identified himself as John Adams, a Twitter staffer, and wrote on Tuesday that the site had “patched this issue as of a few hours ago.”

But in a follow-up post Thursday, Slater said the cross-scripting vulnerability remains.

He said a fix implemented by Twitter only stops the user from putting spaces in the address box field.

“Other than that, everything else is fair game,” he said, noting that he was able to create a harmless popup box using JavaScript in connection with the XSS flaw.

“If it can do that, it can do a lot worse,” he said.

Safety tips

Slater ticked off a few tips for those concerned about the safety of their Twitter account. The first most obvious one is not to be logged in to Twitter, at least until it’s clear a fix has been implemented. But even if you’re not logged in, Slater claimed that “malicious code could still send you to other Web sites or otherwise annoy you, so it doesn’t completely fix the problems.”

He also suggested that users check their accounts and “unfollow” anyone they don’t know or don’t trust, who might be exploiting the alleged flaw.

Twitter has had its share of security issues. Earlier this month, reports surfaced that Twitter was being used to control botnets that could steal a user’s personal information.

Both Facebook and Twitter had to fend off denial of service attacksearlier this month.

News Around the Web