Twitter Vulnerability Exposed - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Social
News
3/20/2009
05:29 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Twitter Vulnerability Exposed

The XSS security issue allows attackers to inject malicious code into Web pages, including HTML and client-side scripts.

Twitter is vulnerable to a serious cross-site scripting (XSS) vulnerability that could allow an attacker to hijack users' accounts or, in conjunction with other exploit code, compromise their computers.

Proof-of-concept exploit code has been posted by Secure Science researchers Lance James and Eric Wastl. They say that Twitter has been notified but has not yet responded to them.

The proof-of-concept code page offers those clicking on the link a choice of whether they want to be exploited or not. Those who accept will trigger the exploit, causing the message "I just got owned!" to be posted to the Twitter XSSExploits account.

Twitter did not immediately respond to a request for comment.

"The vulnerability is still active," said Wastl. "Basically, we produce a link and if a Twitter user clicks on it, it allows us to hijack their accounts."

XSS vulnerabilities allow attackers to inject malicious code into Web pages, including HTML and client-side scripts. They can be used to bypass access controls, steal information, and conduct phishing attacks.

James cautions that XSS vulnerabilities should be taken seriously because they can reach beyond Web pages. "A lot of people think XSS is limited to the Web," he said. If there's another vulnerability in the victim's browser, the Twitter flaw could be used to launch additional malicious code, he explained.

This is particularly germane to Twitter users because so many of them rely on specialized third-party Twitter browsing applications, which aren't subjected to the security scrutiny given to major Web browsers.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Commentary
New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Commentary
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll