Twitter Security Hole Still Exists
Twitter Operations’ John Adams claimed that the social-networking site patched a bug that allowed U.K.-based search-engine-optimization expert Dave Naylor to insert JavaScript code into tweets where application developers would normally link to product Websites, but TechCrunch and Naylor both say: Not so fast.
Naylor apparently duplicated his feat from Tuesday, creating a dummy Twitter account and inserting code that prompts a dialog box to pop up when accessed through the Twitter Website. TechCrunch reports that Twitter never got in touch with Naylor after he reported the issue, instead attempting to repair it on its own.
Naylor wrote on his blog:
With a few minutes’ work, someone with a bit of technical expertise could make a Twitter “application” and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets and they are logged in to Twitter, their account could be taken over.
Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic Website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another Website for someone to use at their leisure.
