Title: Twitter XSS Vulnerability Not Yet Fixed
Post by: don on August 28, 2009, 11:52:59 AM
A major cross-site-scripting vulnerability in Twitter that could result in a user's account being taken over has yet to be fixed despite Twitter's claim that it has, according to the software developer who discovered the bug.
“With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application' and start sending tweets with it,” Slater explained in a blog post Wednesday. “It can be arranged so that if another Twitter user so much as sees one of these tweets -- and they are logged in to Twitter -- their account could be taken over.”
Because of the bug, attackers could capture account credentials, redirect a user to a site of their choosing, alter a user's tweets or "followers," or send messages from a compromised account.
“The main impact is that it could be abused by anyone really, to steal your [login] details or impersonate your Twitter,” Slater, who works for Naylor's search engine optimization company, Bronco Internet, told SCMagazineUS.com on Wednesday.
Twitter was informed about the vulnerability Tuesday before details of it were posted, Naylor said. A member of Twitter's operation team told Naylor that the company had fixed the glitch, but Naylor said the patch doesn't work.
A Twitter spokesperson could not be reached for comment Wednesday.
For complete story: