Yesterday UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field where an application developer would normally link to a product website. There are all sorts of malicious things people could have done to exploit the bug, like steal session cookies, create a Twitter worm or even infect unaware visitors with malware, so it’s safe to say this was a massive security threat.
Sure enough, when word got out Twitter moved to patch the bug to prevent such bad stuff from happening. John Adams from Twitter Operations even commented on Naylor’s blog to point out the hole had been closed shortly after he published his post.
Well, not quite.
Naylor today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog box when you visit the link through the website. Twitter may suspend this account soon, much like they did with the first dummy account Naylor created to make his point, so I included a screenshot of what happens when you visit that profile on top of this post.
Naylor writes:
With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets – and they are logged in to Twitter – their account could be taken over.
Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure.
In my opinion, it’s completely unacceptable that Twitter engineers never got in touch with Naylor to learn more about the exploit and adequately fix the problem, which the SEO consultant correctly marks a shame. Instead, the startup’s tech team apparently tried fixing it without really looking at the potential security issues:
Their idea of fixing it is to stop you putting spaces in the address box. Spaces. Other than that, everything else is fair game.
It’s important to note that you’re probably safe when you use any third-party client for your Twitter needs, although I’d recommend you make use of the more popular ones and stop visiting the Twitter website for the next couple of days. Whatever you do, be careful when you click links to Twitter profiles you don’t know, even when they are linked to by people you know and trust, and be on the lookout for suspicious-looking applications used to send out tweets.
We’ve contacted Twitter to let them know the security threat is still very much present. Hopefully, we’ll see an adequate fix and a statement from the startup soon.