Researcher Confirms XSS Vulnerability on Twitter

An XSS (cross-site scripting) security flaw has been demonstrated on Twitter - the micro-blogging website. If the security flaw is exploited, it can allow hackers compromise the accounts of Twitter users or disseminate malicious software.

A security researcher from Indonesia, using the name "H4x0r-x0x" as well as using Twitter handle "Own3d_5ys," found the flaw. He demonstrated the flaw through his private Twitter account, as reported by SCMagazine on June 24, 2010.

The flaw emanates from non-validation of input pertaining to the name field of software while allowing fresh requests for different Twitter programs. When a user accesses his Twitter account, two XSS alert windows surface following which there is manipulation of the browser and eventually the user steps into the matrix when e-mails arrive from the flaw's founder.

Daniel Kennedy, partner at Praetorian Security Group, states that he hasn't seen attackers use the flaw, nonetheless that can obviously take a turn.

In the meantime, it appears that the problem resembles the one James Slater (the software developer) described during August 2009. That problem was related to 'Twitter's API (Application Programming Interface), which developers utilized for making software to post messages on the site. Evidently, the API didn't accurately scan the programs' URL, so one could inject a malevolent JavaScript together with an URL.

It has been observed that Twitter's XSS flaws have been effectively exploited for compromising accounts and for creating worms such as StalkDaily or Mikeyy. Account compromise following infection is possible if the user simply goes to a profile that contains a malevolent JavaScript. With this, a website virus can be created wholly self-propagating in nature as against some more recent phishing assaults that steal the credentials of a user through a false Twitter page.

Meanwhile, the current XSS vulnerability in Twitter is possibly the first such dangerous one since 2010 started. The security investigators state that the micro-blogging site should fix it fast because the flaw has already become public as well as in existence for many days.

Notably, an associate researcher has informed Twitter about the problem as well as to Director Del Harvey of the Trust and Safety Team of Twitter.

Related article: Researchers Urge Caution against Phishing Scams

» SPAMfighter News - 03-07-2010

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial