Twitter XSS vulnerability
Secure Science Corporation has published a proof of concept XSS vulnerability which it says could be spread virally, similar to a worm, on the popular microblogging service, Twitter. The exploit is similar to the "Don't click" clickjacking exploit found at the end of February. When the users inadvertently clicked the links while logged into their accounts, the embedded script automatically re-posted itself under their Twitter account.
The exploit makes use of a web programming error on Twitter's support site, to post the unwanted message. The test code provided by Secure Science posts the message "@XSSExploits I just got owned!" to the victim's profile. According to Lance James, chief scientist at Secure Science, the attack could be modified so that there is no warning screen and include a message that would make users more likely to click on it.
Another problem with security on Twitter, is that due to the 140 character limit, users often use shortened web link services like Tinyurl.com which shortens a URL, but also masks it. This means that users don't know if they are clicking on a trustworthy link.
- Twitter PINs down SMS tweet spoofing, a report from The H.
- Twitter opens OAuth interface, a report from The H.