October 6, 2010

New Twitter security hole can expose direct messages

Twitter may be suffering from yet another embarrassing software security vulnerability, according to SearchEngineWatch.com. Apparently, if you use you Twitter credentials to log in to a third-party website, that site could gain access to your private direct messages. Gary-Adam Shannon, in a technical demonstration using WordPress and the Twitter API, shows how a small code change in the API code can send direct messages of logged in users directly to your email inbox of choice. Twitter has yet to comment on the vulnerability. For now, Shannon recommends not letting Twitter log you in to applications.

This vulnerability is the latest in a steady stream of embarrassing and crippling bugs in Twitter’s platform that seem to be popping up more and more often recently. As more visible vulnerabilities surface, more security pros will likely hop on the bandwagon to try and further exploit Twitter. This isn’t a bad thing, as the new attention being thrust on the software engineers at Twitter will (hopefully) make the service safer and more reliable in the future.

In early May this year, Twitter users were able to force others to follow them with a simple command inside a tweet. Twitter was quick to act over the flaw. The company issued a status message indicating that the bug was remedied and that protected updates did not become public as a result of the "bug". This latest flaw comes less than a month after the company fixed a fatal scripting vulnerability that brought the web version of Twitter to a halt for several hours on September 21.

If this latest bug is anything like the previous ones, Twitter will likely jump on this and fix it rather quickly. We’ll keep you posted as details emerge.

No comments: