James Slater, IT developer with a British firm that specializes in search engine optimization, has found a security vulnerability in the social network, Twitter.
The simple act of reading tweets online on twitter.com could cause somebody to steal your login cookie and potentially get access to your Twitter account – or simply redirect you to a phishing site etc.
It works by inserting javascript code in the “API” field when adding tweets. All the 3rd party applications that you can use to tweet with, will have their name under the tweet, so instead of it saying “TweetDeck” there will be a piece of javascript code that could do a lot of stuff.
The javascript code could simply redirect you to to a phishing site, a malicious site, a porn site or any site in the world for that matter. It could also take your login cookie and forward it to a site which will then store it for later use. I’m unsure about how much they will be able to do with your login cookie, but they could probably get access to your Twitter account with it – but without knowing your actual password.
The code should also be able to delete all your twitter messages or send a message to all your followers.
James Slater already made Twitter aware of the problem, but so far Twitter apparently haven’t done anything else than to make sure it’s not possible to write a space in the “API field”. I doubt how effective that really is. He therefore urges you to only follow people who you know and not just because they follow you.
I actually also tried the cookie stealing myself once. I found a home-made forum which wasn’t so secure but still the most visited forum in that country in it’s niche. I didn’t harm anybody of course, but I managed to steal my own login cookie and save it in a database on an external site, simply by adding re-written javascript into a forum post. It’s a matter of escaping the security checks and still be able to inject javascript. Of course I made the developers aware of the problem and I hope they fixed it, so let’s hope Twitter also fixes this one, once and for all.
In this video, James Slater demonstrates a bit about how it works:
Well that’s scary! I sure hope Twitter will fix it quickly! I think I’ll check once in a while to see what my latest Tweets have been, to make sure they are things I really put there.
You don’t have to worry about your own tweets as long as you sent them using the web or any respectable third party app 🙂 Of course there’s the chance that if you’ve been a victim of this exploit, that you could have sent something out – but I haven’t heard of anyone being a victim yet, so no reason to worry I’d say 🙂
Oh yeah i meant if they gain access to my account by stealing my login cookie. I don’t want someone to impersonate me and cheer for the University (sic) of Georgia or something! 😀
.-= Christie´s last blog ..The simplest way to put a clickable header image into the Thesis theme =-.
If it’s not one thing it’s something else, it’s the constant battle between wanting things to be as easy as possible all while having the highest possible security.
.-= Extreme John´s last blog ..The Copycat Company =-.
I wonder if the No Script Firefox extension would catch this? The nice thing about the extension is that you can turn off the script blocking (which can be a bit overbearing) , and it will still block cross site scripting attacks.
.-= Evan Kline´s last blog ..Screw You iPhone! Stop Stealing All Our (Windows Mobile) Apps… =-.
I suppose it would, then. The Firefox plugin should be able to see that a javascript is trying to redirect the user to another domain without the user asking for it first. But to be honest, with cases like this, I think I’ll just fancy my chances and hope for the best. As mentioned elsewhere, I’ve not yet seen one single incident of anybody getting harmed one way or the other, with the use of this script, so I see no need for it to affect my browsing experience.
However, this is one of the cases where it doesn’t matter how damn good with computers you are, cause if your system is setup to do what it’s told by javascript etc., then you’re probably screwed anyway.