Twitter Vulnerability History
More and more bloggers are using Twitter as a micro-blog service. In Twitter’s words:
Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?
Its interesting to me to compare vulnerabilities discovered in different web 2.0 frameworks. Can a comparison be drawn between rivals? Is there a common string binding these issues? Are these platform specific – Twitter has been developed using Ruby on Rails.
This week we take a look back at some of the “publicly released” vulnerabilities for Twitter.
Spoof Mobile Numbers
A security vulnerability was reported on April 7 2007 by Nitesh Dhanjani & Rujith. The problem was due to Twitter’s using the SMS message originator as the authentication of the user’s account. Nitesh used fakemytext.com to spoof a text message, whereupon Twitter posted the message on the victim’s page. This vulnerability can only be used if the victim’s phone number is known. Twitter introduced an optional PIN that its users can specify to authenticate SMS-originating messages within a few weeks of this discovery.[1]
Weak Twitter Administrator Account
On January 5, 2009, 33 high-profile Twitter accounts were compromised, and falsified messages—including sexually explicit and drug-related messages—were sent. The accounts were compromised after a Twitter administrator’s password was guessed via a dictionary attack.[2]
Weak Sessions
BrainShaler.com, 2008, writes a blog entry where his Twitter account gets hacked by a friend. After tarnishing his online reputation, his friend was persuaded to give back the account and he managed to change his password. However, this did not seem to help. His friend still had access because his friend was already authenticated. Twitter’s sessions did not expire, therefore, access was granted as long as his friend had an active session and didn’t log out.[3]
Phishing Attacks
You get an email, “hey! check out this funny blog about you…” When clicking on the link you get redirected to a Twitter look-a-like site. Once you enter your login name and password the fake site captures these details and probably redirected to the original Twitter site.[4]
Support Tools Hacked
On 05 January 2009, 33 accounts were hacked including Twitter-ers like Rick Sanchez and Barack Obama. A spree of malicious’ness later… the vulnerability exploited sounds like some sort of Persistent Cross-Site Scripting attack:
These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck.[5]
Twitter opted to have “a full security review of all access points”.
Click Jacking
12 February 2009, saw a “negative suggestion” based Click Jacking attack targetting Twitter. Watch out for links from accounts prefaced by the words, “Don’t click”. This technique seeks to trick web users and can take action on your behalf while you perform seemingly unrelated tasks.[6]
Refs
- http://en.wikipedia.org/wiki/Twitter
- http://en.wikipedia.org/wiki/Twitter
- http://brianshaler.com/blog/2008/11/23/twitter-security-issue/
- http://blog.twitter.com/2009/01/gone-phishing.html
- http://blog.twitter.com/2009/01/monday-morning-madness.html
- http://blog.twitter.com/2009/02/clickjacking-blocked.html
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
[...] Luckily David Kierznowski of blogsecurity.net already did so and so I’m pleased to refer you to his article: Twitter Vulnerability History [...]