Attack Of The Tweets: Major Twitter Flaw Exposed

U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim's account -- with a tweet

Dark Reading logo in a gray background | Dark Reading

A newly exposed cross-site scripting (XSS) vulnerability in Twitter lets an attacker wrest control of a victim's account merely by sending him or her a tweet.

U.K. researcher James Slater reported the serious flaw earlier this week, and now says Twitter's fix in response to his disclosure doesn't actually fix the problem. "It seems they've made a pretty amateurish attempt to fix the issue, completely missing the massive problem staring them in the face," Slater said in his blog.

The attack basically exploits an input validation weakness in a field of the form used for adding third-party Twitter clients, such as TweetDeck and Twitterific. The form doesn't fully vet what can go in that box, Slater said, so an attacker can put JavaScript tags there as well as raw HTML code, for instance. "Whatever I type in that box will appear at the end of my tweets," he blogged in a follow-up post. "Anyone who sees that tweet will then be viewing that code."

The embedded code can perform any tasks the Twitter Website can perform, including redirecting a user to another page, sending tweets, changing account information, or adding or deleting followers, he said.

"Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure," Slater said.

Twitter's patch basically prevents people from putting spaces in that box, he said, which didn't go far enough. It left the door open for attackers to put any other code there, he said.

The best defense from this attack, he says, is to run a Twitter third-party client rather than logging into Twitter's Website directly, and to "unfollow" people you don't know or don't trust. "If you don't see their tweets they can't harm you," Slater blogged.

Twitter had not responded to media inquiries about the bug as of this posting.

It has been a tough summer for Twitter security-wise. Researcher Aviv Raff hosted the Month of Twitter Bugs in July, aimed at exposing vulnerabilities in third-party Twitter applications. Among other problems, Twitter was hit by a massive DDoS attack earlier this month that knocked the popular microblogging site offline for hours, and then a researcher discovered a Twitter profile being used as the command center for a botnet. The profile was sending updates and malware to bots.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights