by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field where an application developer would normally link to a product website. There are all sorts of malicious things people could have done to exploit the bug, like steal session cookies, create a Twitter worm or even infect unaware visitors with malware, so it’s safe to say this was a massive security threat. Sure enough, when word got out Twitter moved to patch the bug to prevent such bad stuff from happening. John Adams from Twitter Operations even commented on Naylor’s blog to point out the hole had been closed shortly after he published his post.
Well, not quite.
Naylor today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog box when you visit the link through the website. Twitter may suspend this account soon, much like they did with the first dummy account Naylor created to make his point, so I included a screenshot of what happens when you visit that profile on top of this post.
It’s important to note that you’re probably safe when you use any third-party client for your Twitter needs, although I’d recommend you make use of the more popular ones and stop visiting the Twitter website for the next couple of days. Whatever you do, be careful when you click links to Twitter profiles you don’t know, even when they are linked to by people you know and trust, and be on the lookout for suspicious-looking applications used to send out tweets.
We’ve contacted Twitter to let them know the security threat is still very much present. Hopefully, we’ll see an adequate fix and a statement from the startup soon.
0 comments:
Post a Comment