Twitter XSS vulnerability not yet fixed
A major cross-site-scripting vulnerability in Twitter that could result in a user's account being taken over has yet to be fixed despite Twitter's claim that it has, according to the software developer who discovered the bug.James Slater first described the vulnerability, which allows malicious JavaScript code to be inserted into tweets, Tuesday on the blog of Dave Naylor, a search marketing executive.
Twitter's application programming interface (API), used by developers to create applications to post tweets -- such as TweetDeck, TwitterFox or HootSuite -- does not properly filter the URL of these programs. As a result, users could actually insert malicious JavaScript code along with a URL.
“With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application' and start sending tweets with it,” Slater explained in a blog post Wednesday. “It can be arranged so that if another Twitter user so much as sees one of these tweets -- and they are logged in to Twitter -- their account could be taken over.”
Because of the bug, attackers could capture account credentials, redirect a user to a site of their choosing, alter a user's tweets or "followers," or send messages from a compromised account.
“The main impact is that it could be abused by anyone really, to steal your [login] details or impersonate your Twitter,” Slater, who works for Naylor's search engine optimization company, Bronco Internet, told SCMagazineUS.com on Wednesday.
Twitter was informed about the vulnerability Tuesday before details of it were posted, Naylor said. A member of Twitter's operation team told Naylor that the company had fixed the glitch, but Naylor said the patch doesn't work.
A Twitter spokesperson could not be reached for comment Wednesday.
"Their idea of fixing it is to stop you [from] putting spaces in the address box [on the application]," Slater wrote. "Spaces. Other than that, everything else is fair game."
Meanwhile, Slater said the best way to avoid the flaw is to not login to Twitter. Also, are were encouraged to "un-follow" people they do not personally know or trust.
“At one time, cross-site scripting was only understood by the security geek, but today these vulnerabilities are both well understood, ubiquitous and dangerous,” Andrew Storms, director of security operations for network and compliance audit firm nCircle, said in a statement sent to SCMagazineUS.com on Wednesday. “Every Twitter user, and anyone who frequents social media sites, should be paying close attention to these security issues, as well as using all other reasonable precautions to protect their online safety."
