In association with heise online

27 September 2010, 10:54

Another Twitter hole opened and closed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Over the weekend another Twitter hole opened up when postings appeared, one saying "WTF" and including a link and the other proclaiming a preference for a certain sexual activity with goats. People who clicked on the link through the Twitter web front end found themselves looking at a blank page, but in the background, two hidden frames posted to Twitter on their behalf proclaiming the same preference and sending the same link to their followers. Twitter "fixed the exploit" within hours and removed offending tweets.

The problem in this case is that Twitter allows sites to include IFRAMES which can be hidden on a page. These can perform a GET operation to update the status of the user's Twitter account. An early analysis pointed the blame at the IFRAMES and GET issue making Twitter vulnerable to CSRF (Cross Site Request Forgery) attacks. The code itself was hosted on which offers free anonymous web-hosting. The attack itself did nothing except add it's tweets to the users timeline.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit