U.K. researcher says vulnerability in Twitter API lets an attacker take over a victim’s account — with a tweet
By Kelly Jackson Higgins – arkReading
A newly exposed cross-site scripting (XSS) vulnerability in Twitter
lets an attacker wrest control of a victim’s account merely by sending
him or her a tweet.
U.K. researcher James Slater reported the serious flaw earlier this
week, and now says Twitter’s fix in response to his disclosure doesn’t
actually fix the problem. “It seems they’ve made a pretty amateurish
attempt to fix the issue, completely missing the massive problem
staring them in the face,” Slater said in his blog.
The attack basically exploits an input validation weakness in a field
of the form used for adding third-party Twitter clients, such as
TweetDeck and Twitterific. The form doesn’t fully vet what can go in
well as raw HTML code, for instance. “Whatever I type in that box will
appear at the end of my tweets,” he blogged in a follow-up post. “Anyone who sees that tweet will then be viewing that code.”