Persistent XSS Flaw Harms Twitter

According to a software developer, an XSS (cross-site scripting) flaw influencing the security of Twitter continues to exist although the micro-blogging utility tries to develop a patch.

The researcher states that the flaw allows an attacker to seize session cookies, infect Twitter's visitors with malicious software, or create a virus that could damage the site. Moreover, the vulnerability could let a hacker to fully compromise the Twitter account of a victim.

It was James Slater a blogger who first reported the flaw and demonstrated in his post how an attacker could execute an arbitrary code on users' systems after making the users to simply open a booby-trapped Twitter message. When the tweet is opened, it downloads a JavaScript, which could potentially modify profiles and post additional tweets while a user is logged in.

Although the software maker claims that Twitter has a fix to address a serious XSS flaw, it holds little meaning as users continue to be susceptible to account compromising attacks.

Slater blamed Twitter for blindly relying on external data while developing Web programs, with the forms doing extremely limited or no checking of the data entered therein.

The blogger, who made his post on August 25, 2009, stated that despite Twitter maintaining that it had resolved the issue, the related patch hardly proved effective.

Meanwhile, the flaw represents the most recent issue that points out weaknesses in the social-networking site used by innumerable subscribers daily. In the current time, hackers are cashing in on an Application Programming Interface (API), which provides a simple method for users to develop individual programs that read and send tweets conveyed over Twitter.

The API keeps aside space within every tweet where the application's name would be entered. Slater demonstrated that hackers could use the flaw to invoke malicious JavaScript, which Twitter has succeeded in blocking elsewhere in its service.

Furthermore, in August 2009, Search Engine Optimization experts had disclosed one such technique from blackhat hackers, which was employed for raising the rank of a website through the receipt of a Twitter "link."

Related article: Prosecutors Charge Romanian Hacker for Violating NASA Computer Security

» SPAMfighter News - 9/17/2009