Twitter Says Flash Flaw’s Been Fixed

Twitter said it has addressed a security flaw that relied on a widely known flaw and could take over a user’s account, according to one researcher.

Mike Bailey, a senior security analyst with Foreground Security, first raised the alarm on the problem, which exploits a known vulnerability in Adobe Systems’ Flash programming language.

Bailey said he doesn’t blame Adobe (NASDAQ: ADBE) for the flaw, first discovered in 2006. For its part, Adobe has told programmers how to address the vulnerability, but that advice has apparently not always been heeded.

“I’ve published some problems related to Adobe software, but this one in particular had to do with Flash object and how the developers at Twitter, or whoever did this, built the Flash applications,” Bailey told InternetNews.com.

Bailey said the danger is the flaw could let someone steal a user’s session credentials, giving them full access to that user’s Twitter account.

“I could post and act as that user, view their private messages and see their list of contacts extending out to their mobile device,” he said.

“It was pretty serious, but I’m happy it’s being dealt with,” he added.

For its part, Twitter acknowledged the issue and a workaround:

“We’ve been notified about a vulnerability in our Flash widget and out of an abundance of caution we’ve disabled access as we assess the situation. Please note that the JavaScript widgets are unaffected and are a good alternative for those of you who had been using the Flash version,” Twitter said in a blog post on its status page.

The post went on to say that Twitter isn’t aware of any accounts being affected by the vulnerability and offers a contact e-mail for users who think they were.

But Bailey said we may never know how many, if any, users were impacted.

“That is one of the big scary things; if they are being attacked, there is almost no way to find out short of a very close examination of the server logs or client logs, which generally aren’t stored,” he said.

Flash under the microscope

Bailey said he plans to discuss flaws in Adobe Flash as part of a presentation at the Black Hat security conference next month in Washington D.C.

“My focus is not any particular attack, or anything Adobe’s done wrong, which in my opinion is completely irrelevant, he said. “There are various ways Flash can be abused to exploit a Web browser … The problem is that there have been a wide variety of attacks and each case requires a different approach to fix. It has to be dealt with by the developer or the Web site administrator.”

Entitled, “Neat, New and Ridiculous Flash Attacks,” Bailey’s session will discus new Flash-based attacks, the repurposing of old attacks, and demonstrations of working (“and sometimes ridiculously complex,” according to its description) attacks on Gmail, Twitter, and other major Web sites.

Twitter has had its share of security issues. Just last month, Twitter fell victim to a security breach by hackers identifying themselves as member of the “Iranian Cyber Army.” That attack knocked Twitter briefly offline.

David Needle is the West Coast bureau chief at InternetNews.com, the news service of Internet.com, the network for technology professionals.