Twitter is vulnerable to a serious cross-site scripting (XSS) vulnerability that could allow an attacker to hijack users' accounts or, in conjunction with other exploit code, compromise their computers.
The proof-of-concept code page offers those clicking on the link a choice of whether they want to be exploited or not. Those who accept will trigger the exploit, causing the message "I just got owned!" to be posted to the Twitter XSSExploits account.
Twitter did not immediately respond to a request for comment.
"The vulnerability is still active," said Wastl. "Basically, we produce a link and if a Twitter user clicks on it, it allows us to hijack their accounts."
XSS vulnerabilities allow attackers to inject malicious code into Web pages, including HTML and client-side scripts. They can be used to bypass access controls, steal information, and conduct phishing attacks.
James cautions that XSS vulnerabilities should be taken seriously because they can reach beyond Web pages. "A lot of people think XSS is limited to the Web," he said. If there's another vulnerability in the victim's browser, the Twitter flaw could be used to launch additional malicious code, he explained.
This is particularly germane to Twitter users because so many of them rely on specialized third-party Twitter browsing applications, which aren't subjected to the security scrutiny given to major Web browsers.
Twitter has suffered from a series of security incidents in recent months. Last week, about 750 Twitter accounts were hacked and used to send tweet spam.
About the same time, The Washington Post reported that Twitter had fixed an SMS spoofing vulnerability identified by James that was nearly identical to one reported to the company by another security researcher back in April 2007.
In January, 33 Twitter accounts associated with celebrities were hacked.
That same month, Twitter said it was conducting a full security review of all access points to Twitter. To date, it has not provided an update on its findings.
In July, security researcher Aviv Raff said that Twitter suffered from a vulnerability that allowed an attacker to force victims to join his or her Twitter follow list automatically.
Twitter's surging popularity only increases its attractiveness as a target for cybercrime. And the service's basic design amplifies the problem. "The structure that Twitter uses makes it the perfect architecture for spreading something virally," said Wastl. As with social networks, the feeling that one is among friends on Twitter may lead to insufficient caution.
According to James, Twitter encourages unsafe security practices, like the use of URL redirection and presenting links in a way that promotes trust that may not be deserved.
"It breeds bad human behavior to serious security problems," said James.
InformationWeek Analytics has published an independent analysis of the challenges around setting business priorities for next-gen Web applications. Download the report here (registration required).