Attack of the Tweets

Attack Of The Tweets: Major Twitter Flaw Exposed
U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet

Aug 27, 2009 | 03:54 PM
By Kelly Jackson Higgins
DarkReading

A newly exposed cross-site scripting (XSS) vulnerability in Twitter lets an attacker wrest control of a victim's account merely by sending him or her a tweet.

U.K. researcher James Slater reported the serious flaw earlier this week, and now says Twitter's fix in response to his disclosure doesn't actually fix the problem. "It seems they've made a pretty amateurish attempt to fix the issue, completely missing the massive problem staring them in the face," Slater said in his blog.

The attack basically exploits an input validation weakness in a field of the form used for adding third-party Twitter clients, such as TweetDeck and Twitterific. The form doesn't fully vet what can go in that box, Slater said, so an attacker can put JavaScript tags there as well as raw HTML code, for instance. "Whatever I type in that box will appear at the end of my tweets," he blogged in a follow-up post. "Anyone who sees that tweet will then be viewing that code."

The embedded code can perform any tasks the Twitter Website can perform, including redirecting a user to another page, sending tweets, changing account information, or adding or deleting followers, he said.

"Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure," Slater said.

Twitter's patch basically prevents people from putting spaces in that box, he said, which didn't go far enough. It left the door open for attackers to put any other code there, he said.

The best defense from this attack, he says, is to run a Twitter third-party client rather than logging into Twitter's Website directly, and to "unfollow" people you don't know or don't trust. "If you don't see their tweets they can't harm you," Slater blogged.

Twitter had not responded to media inquiries about the bug as of this posting.

It has been a tough summer for Twitter security-wise. Researcher Aviv Raff hosted the Month of Twitter Bugs in July, aimed at exposing vulnerabilities in third-party Twitter applications. Among other problems, Twitter was hit by a massive DDoS attack earlier this month that knocked the popular microblogging site offline for hours, and then a researcher discovered a Twitter profile being used as the command center for a botnet. The profile was sending updates and malware to bots.