Twitter Flaw Compels Victims to Follow Hacker’s Account

Techcrunch, a weblog focusing on reviewing and profiling of Internet items, reported on July 28, 2008 that a Twitter account named johng77536 existing for hardly two days had become part of a list of the 100 most prevalent Twitter accounts.

According to Aviv Raff, Researcher of Browser Flaws, vulnerability in Twitter could lead users to Websites that host malware. Raff said that the bug could compel users to follow the hacker's account, implying that all of the hacker's twits would be displayed on their Twitter home page along with potentially malevolent links, as reported by ITWorld on July 31, 2008.

Moreover, it is a proof-of-concept attack code that exploits a 'cross-site request forgery' (CSRF) flaw to trick a user into following his Twitter account by just opening a rigged site.

Twitter has a characteristic to disseminate legitimate links, viruses and spam. If a person uses Twitter for any malicious purpose, it could lead to a virus infection on the targeted computer and loss of money from its user to the infiltrators.

The Twitter flaw is the latest of a couple of flaws that Raff has discovered. In the fourth week of July 2008, Raff reported another flaw that allowed phishers and spammers to distribute e-mails, containing links leading to malicious Websites, to other Twitter users. However, Twitter fixed that flaw on July 31, 2008.

Furthermore, Raff has assisted Twitter with patching up another flaw that could help attackers to distribute spam containing malicious links. A number of Twitter with cross-site scripting flaws have been identified and patched.

So far, it isn't evident if the hacker used the security flaw in the Twitter API. Also, it seems another Twitter account named jpmogan had exploited the same flaw. Last time when Techcrunch checked these accounts, they were purged. Nevertheless, it isn't certain if the flaw has been addressed.

Meanwhile, expecting further Twitter research, Raff said that he is working on various ways to exploit Twitter as a potential platform and that he would publish his research, when complete, in his blog named Twitpwn.

Related article: Twitter Users Again Under Phishers Attack

» SPAMfighter News - 14-08-2008

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial