Security Researchers Discovered XSS Bug in Twitter
Eric Wastl and Lance James, Security Researchers at Secure Sciences Corporation (located at San Diego, US), have identified an XSS (Cross-Site Scripting) vulnerability in Twitter, influencing this widely used micro-blogging service.
The researchers state that anyone clicking on a maliciously designed web link on Twitter could enable an attacker to compromise the user's account. Apart from an attack code, an attacker could take over the person's PC by exploiting the XSS vulnerability.
Providing further details, the researchers said that the Cross-Site Scripting loaded page commonly offers a choice to those users following the link whether they want to be infected or not. Thus, the attack begins its operation only when it gets the acceptance signal from the user. A point of concern is that a sinister attacker could use this flaw to do even worse things. For instance, he could rearrange the attack in such a way that no alert windows surface, while the person could display sensational messages worthy of getting the user to click.
James explained that with the technology that Twitter has adopted, he could utilize it to massively infect Twitter users with malware or steal details of their accounts etc, as reported by SOFTPEDIA on March 20, 2009.
Meanwhile, the problem is made worse due to the fact that Twitter users utilizing the service's 140 character restriction reduce the size of Web links such as Tinyurl.com. Hence, they do not know if they are following a trusted link or not.
Nevertheless, security researchers expect that Twitter would issue a patch to fix the vulnerability. Meanwhile, no report has been made so far about the exploitation of the Twitter flaw.
Graham Cluley, Senior Technology Consultant at Sophos, states that Twitter must seriously review its security so that members' confidence remain high in wake of the new flaw.
Meanwhile, James wished that their finding would prompt Twitter to make its security an important issue. The researchers observe that lately Twitter's security procedures have been drawing attention as its popularity has been rising. In January 2009, hackers reportedly accessed the Twitter accounts of CNN, Fox News and Barack Obama.
Related article: Securities Push Up A Must For Web Companies
» SPAMfighter News - 30-03-2009