Researchers invented new Twitter Attack
April 9, 2009 Computer Safety Tip
Computer security researchers have devised a new Twitter attack that they say could spread virally, much like a 
worm on the microblogging service.
On Thursday, the attack which was posted online by researchers at Secure Science is an inoffensive proof of concept that forces users to send out a prearranged twitter message, but it could be converted into a very malicious worm, said Lance James, Chief Scientist with Secure Science.
Last month the clickjacking attack was making the rounds on Twitter, the hack is similar to that. The hackers used a devious technique to trick users into clicking on a link without comprehending it. That link would post the Twitter message saying “don’t click” along with a URL.
Secure Science’s researchers have now found a way to take advantage of a Web programming error on Twitter’s support site to post the unwanted message. After a warning message, Secure Science’s test code posts the message: “@XSSExploits I just got owned!” to the victim’s profile.
A malicious user could do much worse with this bug. The attack could be modified so that there was no warning screen, could be upgraded with a sensational message that users would be more likely to click. If it was shared with a malicious browser attack code, it could be used to take control of victim’s machine.
The attack could be disabled by Twitter by fixing the cross site scripting flaw that the Secure Science researchers were exploiting, but if a similar bug were to pop up on the site it would be the same problem all over again for the users.
The company instituted a full security review in January after hackers gained access to the accounts of President-elect Barack Obama, Fox News and CNN.
