Gadgetell | Tech News, Reviews, and Interesting Things

Oh, is Twitter making the news as of late.  And the latest is really not for a positive reason.  If you, like many, are a Twitter user, you better be careful since it was just found out that they are vulnerable to a major cross-site scripting (XSS) hack vulnerability which could let someone in the hijack someone’s account.  When the hacker does this, they could also use other exploit code to have a have a hey-day on the users computer.

Click a link, get pwned

Secure Science researchers Lance James and Eric Wastl posted evidence of this proof-of-concept exploit code.  Although they did notify Twitter, they say they have yet to receive a response back.  On the page offering proof-of-concept, there is a link where Twitter users can choose whether they want to be exploited or not.  (I can see everyone yelling “pick me! pick me!”)  If you do happen to click the decide exploitation is your thing, and click the button, you will then kick start the exploit.  A posted message will show up saying “I just got owned!” on the Twitter XSSExploits account.

Wastl says that “The vulnerability is still active.  Basically, we produce a link and if a Twitter user clicks on it, it allows us to hijack their accounts.”

Be careful everywhere

With an XSS vulnerability, malicious code can be placed into Web pages, these can include HTML and client-side scripts.  Access controls can be bypassed, information stolen, and then you’ve also got the good old phishing going on.

James stresses that it is important to keep in mind that these XSS vulnerabilities are not to be taken lightly since they can go beyond just web pages.  “A lot of people think XSS is limited to the Web,” he said. If there’s another vulnerability in the victim’s browser, the Twitter flaw could be used to launch additional malicious code, he explained.

Why this is especially applicable to Twitter is since a vast majority of them do rely on third-party Twitter browsing apps.  And usually, these applications are subjected to the same securities that major Web browsers are subject to.

Spam and Twitter

This isn’t the first security breech Twitter has seen.  Just last week, around 750 accounts were hacked and then used to send spam tweets.  (Although I have to say it sounds much friendlier being labeling a “tweet” than junk mail at least).  In January, 33 celebrity Twitter accounts were hacked.  Twitter said that month that it was conducting a full security review.  So far, there have been no findings provided.  The Washington Post also reported last week that Twitter had fixed spoofing vulnerability that was almost the exact same one reported by a different security researcher way back in 2007.

It’s thought that the fact that Twitter is growing by leaps and bounds is also making it more and more attractive for those wanting to use it maliciously.  And Wastl feels the just the basic design of Twitter makes the problem even worse.  “The structure that Twitter uses makes it the perfect architecture for spreading something virally,” said Wastl.  As with social networks, the feeling that one is among friends on Twitter may lead to insufficient caution.

Is Twitter being careless?

James feels that Twitter doesn’t do enough to encourage safe security practices, instead, they do precisely the opposite by doing things like using URL redirection and displaying links that promote a false sense of security since that trust really isn’t necessarily deserved.  “It breeds bad human behavior to serious security problems,” said James.

So, on Twitter, as on any social networking site, or any site, caution is key.  Don’t go clicking on links unless you are darn sure where you are going or that it is safe.  Always practice safe surfing.

Via: techweb