Twitter Worm Could Take Over Your Computer (in Theory)
Before everyone panics, let's get one thing clear: the new Twitter worm is only a proof-of-concept devised by computer security researchers at Secure Science - it is not out in the wild. That said, its very existence should raise some questions about the state of security at Twitter - something that's more important than ever given how rapidly the service is becoming mainstream. This latest security concern involves an attack, similar to the clickjacking incident from last month, that takes advantage of a web programming error on Twitter's support site. The result of the attack would force users to post unwanted messages to their Twitter stream. If those messages were combined with malicious code, "this could even be used to take control of a victim's computer," says Lance James, chief scientist of Secure Science.
The Potential Threat
The attack, posted online here, first displays a warning message and then posts Secure Science's test code "@XSSExploits I just got owned!" to the victim's profile. But if a hacker wanted to use this technique to compromise users' PCs, they could remove the warning screen and combine the link with a sensational message which users couldn't help but click. Add in some browser attack code, and before you know it, clicking a Twitter link could allow a hacker access to your computer. This, says James, "would just tear the cr*p out of Twitter." He adds, "I'm holding my breath, hoping no one does something stupid at this moment."
According to Secure Science researchers, this particular bug can be eliminated by fixing the cross-site scripting flaw, but if another similar bug were to show up on the site, users would soon face the same problem all over again.
Still, one has to wonder, why are they publishing this information publicly instead of alerting Twitter directly? Apparently, it's because the research company is concerned Twitter is not taking security seriously enough. James says he hopes this demonstration will push Twitter into making it more of a priority.
The State of Twitter Security
It's easy to see why security professionals may be worrying about the state of security at Twitter - the company has had some rather high-profile incidents as of late. Only last month, a second clickjacking attack was revealed after the company had just finished patching one that was unveiled in January. Also in January, the accounts of 33 high profile Twitter users including Britney Spears, CNN news reporter Rick Sanchez, and Barack Obama, were compromised by hackers who defaced their accounts with embarrassing and offensive messages.
At the time, Graham Cluley, senior technology consultant at Sophos advised Twitter "to take a long hard look at its security to ensure that this never happens again, and regain the confidence of its members." Yet since then, more potential attack vectors have been revealed.
Staying Safe on Twitter Keeps Getting Harder
If Twitter is indeed replacing, or at the very least, augmenting email for interpersonal communications, then perhaps it's time for us to apply those same age-old rules that once applied to email - be careful what you click. Now that it's finally been drilled into people's heads that email attachments aren't always safe, it seems like we have to start again educating Twitter users that the same goes for links.
But when a service goes mainstream - like Twitter is doing now - it's going to become filled with people who won't give a second thought to security concerns such as these. Instead, without intervention on the part of Twitter to address these issues, consumers are going to end up learning "the hard way" - by becoming victims.
The security problem only gets worse when you think about how easy it is for people to create fake celebrity accounts not to mention how easy it is for Twitter spammers to join the service. Since Twitter doesn't authenticate new accounts via email, anyone can post any message from any address, real or fake. There are even opt-in services that Twitter spammers can join to quickly accumulate large numbers of followers quickly in an attempt to appear more legit.
Although Twitter is attempting to fight spam on several fronts (they're now disabling accounts that automate re-following for instance), it seems as if more and more Twitter spammers are creating accounts every day. (How many of those SEO advisors and 'life coaches' are for real, I wonder?)
As Twitter explodes into the mainstream, it may be time for them to work on addressing some of these issues before they focus on enhancements to the site like the relatively new "suggested users" section or the in-house ads - features which a few folks suspect may have something to do with Twitter's supposedly soon-to-be-revealed business model. While we understand the service needs to develop their business plan, they recently closed a $35-million financing round, which added even more cash to their previous round ($15 million). Given that they only have 20 employees, they're (in theory) only burning through around $5 million a year. We're not sure what Twitter is doing with all that money, but we would like to suggest that they use some of it to hire security professionals to help make the service safer...before it's too late.
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Let's see, a theoretical Twitter "security" hole is published at the same time Micro$oft and Facebook are pushing a huge blog and astroturf campaign explaining why Facebook's new home page design is going to crush Twitter. Color me not impressed.
This issue was fixed in less than 24 hours. Too bad the blogpost doesn't mention that at all.
At least one security consultant has noted that the lack of responsible disclosure feels like a PR move, especially when his own experience has shown that Twitter is responsive when security issues are reported to them.
The worst case scenario here is that this *does* happen. Then what? Do you really believe it will have an impact on adoption of Twitter? Personally, I do not.
Twitter has hit the curve of the stick; they are spiking upward at an amazing rate. Honestly, a big story about a security breach would just be more ink for them and most likely drive more traffic/users.
Twitter has much bigger problems wrt scalability right now than security IMHO.
For some reason I'm not too threatened by an XSS attack in an input who's sole purpose is to be delivered to and reviewed by the Twitter team.
I can see links becoming a big security problem for Twitter users. Tweeters are accustomed to clicking on the "tinyurl" etc. links in tweets, when you really don't know what you are clicking on.
As with all popular sites or internet related apps, they become a bigger target. Hackers love to exploit other people's weakness. They can try an stay one step ahead but I don't think it would matter.
I think you're right. whoever sparked this security issue (as first comment mentions), Twitter is a wild place to be, and I have more followers than I have frinds because this extra number is spam. nice for my ego, but it says a lot about the service
Sorry Twitter!
Amother reason for your execs to spend some cash and get real. Proof of concepts spread fast. Just ask Microsoft.
Its concern for twitter user to click links which were shortened by Tinyurl or any other service may run malicious code on twitter users computer.Twitter needs to be aware of these.
Tweeters are accustomed to clicking on the "tinyurl" etc. links in tweets...
ugg boots 50-70% Off All Boots, 100% Original. UGGS australia, Fast Delivery! Money Back Guarantee! Buy it now!!!
we can rely on twitter and other internet sites to secure their sites, we need to also learn how we can protect ourselves, check out this link, it has some good information about internet security
I personally believe that this twitter worm could take over many people's minds as they are addicted to twitter. :D
I personally believe that this twitter worm could take over many people's minds as they are addicted to twitter. :D
wow...that was fast. huge XSS worm from a disgruntled teenager being spread all over twitter right now...
learn to code a site twitter...
luckly the worm was written by a script kiddie and it doesn't do much more then post about how great the kid is, could you imagine someone with an agenda wrote it though?
Magnetic is the industry-leader in auto-stereoscopic 3D LCD displays, 3D content creation, 3D digital signage solutions and 3D software. See 3D without the glasses with Magnetic’s Enabl3d 3D displays.
It's really great to post my comments on such a blog. I would like to appreciate the great work done by the web master and would like to tell everyone that they should post their interesting comments and should make this blog interesting. Once again I would like to say keep it up to blog owner!!!! http://www.naturalherbalsinc.com