Notes from a wireframe world

If you’re a hacker, ID theft person, or spammer please don’t read this, everyone else please do so!

Yesterday David Naylor a security consultant highlighted a huge issue with twitters security, basically it doesn’t check for XSS when you post messages via its API’s so, you can post viruses etc. via it.

Well twitter responded and said it was fixed.

It hasn’t been, as this twitter account (note it’s safe to visit, it’s just an example) shows.

So what you may think? A pop-up box isn’t an issue, true, however as David says.

“If I was going to be mean, I could have made that JavaScript steal your login cookie and send it to us. Or maybe to someone else? Perhaps I could drop a few trending hashtags in there and see how many people look at my tweet. Or worse – why not use Twitter’s own handily-available API to, I dunno, post a few tweets?”

In short, it could have done anything he wanted, installed software on your PC (or Mac) posted tweets from you, got you to follow him… anything.

• January 1, 2010 -- Happy new year, and a free gift
• October 14, 2009 -- Don’t Change Your Password!
• March 1, 2010 -- Twitterbrite TR1
• January 11, 2010 -- Get real-time content on your posts with Smoopr.
• November 8, 2009 -- [WARNING] new iPhone virus, and removal instructions

This entry was posted on Wednesday, August 26th, 2009 at 1:46 pm and is filed under Twitter, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.