Is Twitter Ignoring An Email Notification Security Threat?

Do you like receiving emails from Twitter?

Some of their emails come in handy. Like learning about new features, for example, or finding out right away when someone mentions you or retweets/favorites your tweets.

But some aren’t so handy – and we just learned that one is downright dangerous.

ZD Net is reporting a Twitter notification email that you may want to reconsider receiving from now on (or at least until this vulnerability is fixed): It’s the “email me when I’m followed by someone new” feature.

What’s wrong with it?

Well, this feature allows you to automatically follow these new followers back without logging in via a link and this “link contains information about the user, the person they are attempting to follow, and a unique key.” And although the link expires, “if this email is made public, anyone can add or remove followers if they search for known text in the email and are not logged in themselves. . . [And] Timed correctly, a spammer could follow a user, wait for the email to be published, and then forcefully follow themselves back.”

That all sounds implausible though, doesn’t it? And why is anyone publishing these emails anyway? But this next part is the worst:

Furthermore, the notification email also includes links to disassociate the email address with the account. Navigating to the link reveals the user’s email address, and disassociating it prevents the user from receiving future notifications or being able to reset their password without help from Twitter.

It appears that Google is also indexing some of the unique keys necessary to perform “intents” such as following users, retweeting, and marking a tweet as a favourite.

The majority of these intents are to follow a user, but ZDNet has seen a handful that could result in a user being forced to retweet or favourite another tweet.

Well, someone should tell Twitter about this so they can fix it!

ZD Net did and Twitter apparently blew it off as a minor concern not worth their time. We’ve already pilfered enough of ZD Net’s post to explain this potential threat, so check out Twitter’s response over there.

So what should you do? From someone who finds the “you have a new follower” emails annoying anyway, you could always turn them off.

To do this, go to your settings, then “email notifications” and deselect “when I’m followed by someone new.”

Tis the season to be hacked after all!

(Danger image from Shutterstock)