Yesterday I posted an article about a serious vulnerability I found in Twitter. As it was a bit on the geeky side, it may well have gone over a few people’s heads, so I thought I’d try to explain it in a bit more detail. Incidentally I don’t think Twitter really got it either, as we’ll see in a moment.
Twitter Exploit Video
Why should I care?
With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets – and they are logged in to Twitter – their account could be taken over.
Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure.
All of that, just from seeing one of these tweets.
If I tweet something, all of my followers will see it instantly. Do you trust everyone you’re following?
I could mention a few of the trending topics of the moment, and there’s a good chance that someone will see one of my tweets that way.
Maybe I could just drop your name into my tweet and see if you look at it to see why I’ve mentioned your name?
What should I do?
There are a couple of steps you can take to try to stop you being affected.
- If you’re not logged in to Twitter, there’s no opportunity to steal your details or impersonate you, however malicious code could still send you to other websites or otherwise annoy you, so it doesn’t completely fix the problem.
- Unfollow anyone you don’t know or don’t trust that could be exploiting this. Who’s to say they’re not already stealing your details? If you don’t see their tweets they can’t harm you.
- If you use something other than the Twitter website to view your tweets, perhaps one of the applications mentioned below, you should be fairly safe, though without looking at each one individually it’s hard to be sure. Still, you’re likely to be pretty safe this way.
How does it work?
If you’ve used Twitter you may have noticed that whenever you ‘tweet’, along with the time it also includes the name of the Twitter application you used to send the update. Many people just use the Twitter website, others use dedicated applications – like TweetDeck, TwitterFox or HootSuite as seen below in one of Dave’s tweets.
Where that link goes is up to the developer of the application. If they change it, it affects all of the tweets ever sent with that application. Fair enough. This can be quite simply changed by filling out a form on the Twitter website, and takes effect instantly.
Twitter made one of the most basic mistakes in developing web applications – never blindly trust data that is provided from the outside world! Their form did no – or some very, very basic – checking on what you enter in the box. I pointed this out in the article yesterday and they have since attempted to fix it. However, Twitter have completely missed the point.
- Whatever I type in that box will appear on the end of my tweets.
- I can type in some raw HTML code into that box, and it will get included on the end of my tweet.
- Anyone who sees that tweet will then be viewing that code.
The code between those <script> tags can do anything the Twitter website can do. Send you off to another page, change your account details, send tweets, add or delete followers, etc.
I say Twitter have missed the point because they apparently “fixed” the problem last night.
Their idea of fixing it is to stop you putting spaces in the address box. Spaces. Other than that, everything else is fair game.
I think I’m going to stay off Twitter for a couple of days!
P.S. This isn’t the first time we’ve found vulnerabilities in Twitter… I wonder how many more there are out there? We got no response from them yesterday either, which is a shame. We don’t want to stop using their service because we’re worried about security, and I’m sure we’re not the only ones.
Update 28/08: This has probably been fixed, but without any official communication from Twitter it is hard to say for sure. The accounts I was using have been suspended and the exploit no longer appears to work as described. Whether it might still be working in a slightly altered form or on other accounts created before the fix I do not know.