Twitter Vulnerability Surfaces

January 14, 2007 · 9 comments

Twitter, everyone’s favorite useless yet addictive global away message service thing, seems to have been exploited by a user. Whenever someone visits twitter.com/x and is currently logged into their Twitter account, their Twitter message will say something along the lines of “Looking at Bon’s Twitter page”. I fell victim to this earlier today after I saw a friend’s Twitter say that.

Twitter exploit

I looked around the page source and other included files with FireBug but I didn’t see anything resembling a possible XSS exploit. As of this writing, it seems like the page no longer changes your message. This whole thing made me realize how powerful the exploit or whatever you want to call it could have been, considering many people have their Twitter status embedded on their website.

This is similar to how many people have MyBlogLog badges on their site and the recent exploit for free advertising.

PaulStamatiou.com runs on the Thesis Theme for WordPress

How smart is your Theme?  How good is your support? Check out ThesisTheme for WordPress.

Thesis is the search engine optimized WordPress theme of choice for serious online publishers. If you’re a blogger who doesn’t understand a lot of PHP, Thesis will give a ton of functionality without having to alter any code. For the advanced, Thesis has incredible customization possibilities via Thesis hooks.

With so many design options, you can use the template over and over and never have it look like the same site. The theme is robust and flexible enough not only to accommodate a site like PaulStamatiou.com, but also to enable the site to run far more efficiently than it ever has before.

{ 1 trackback }

jarkolicious :: MailTwitterPHP
January 15, 2007 at 1:45 am

{ 8 comments… read them below or add one }

1 Edrei January 14, 2007 at 8:52 pm

Yeah I saw it too from your Twitter…and got hit by the little exploit.

Reply

2 Kory Twaites January 14, 2007 at 9:55 pm

24 is HOT tonight! Yeah, I saw your message earlier and kinda raised an eyebrow.

Reply

3 zzap January 15, 2007 at 4:34 am

Hmm, I don’t use Twitters HTTP interface, just use it’s handy little AIM bot. But mind telling me your Twitter username?

Reply

4 Paul Stamatiou January 15, 2007 at 4:37 am

It’s in my sidebar… hover over the title.

Reply

5 Blaine January 15, 2007 at 3:31 pm

Hey there; I work on Twitter, just following up on this issue.

We previously allowed GET requests to update a user’s status message, which allowed people to maliciously construct embedded links that would automatically change your status. We now require that statuses are updated via HTTP POST requests, which prevents this sort of attack.

This sort exploit is fairly common, and exists on many popular websites. I expect that we’ll see more of this sort of thing in the next year, as we have in the past (e.g., Google Web Accelerator).

Reply

6 Paul Stamatiou January 15, 2007 at 3:34 pm

Thanks for the update Blaine.

Reply

7 Sumeet January 15, 2007 at 10:35 pm

Talking about twitter, did you try Twitterrific by Iconfactory?

Reply

8 Paul Stamatiou January 15, 2007 at 10:38 pm

Sumeet, I’m using it now – very nice app.

Reply

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous post:

Next post: