Beware, all you out there in the Twitterverse – it looks like a new vulnerability has hit the troubled microblogging site and this time it has nothing to do with a man howling “Goooooaaaaaaaal!” or a vuvuzela.
Information security blog Praetorian Prefect has dug deep into what looks like a new persistent cross-site scripting (XSS) vulnerability on Twitter that could have spelled even more trouble for the site if it didn’t get taken care of soon.
The hack was originally pointed out by an Indonesian Twitter user who created the account 0wn3d_5ys to show off the hole. We won’t link the account here, because while it appears to be a benign demonstration of the vulnerability, it has the potential to inject malicious code. As opposed to the most recent Twitter scam, where users spread a phishing scam by clicking on a link sent in a Direct Message that said “Is this you?”, an XSS attack requires no action on the user’s part and could be entirely self-propagating.
This particular hack takes advantage of a vulnerability in the Application Registration page, where a shortened link referring to a JavaScript snippet can be inserted, allowing the hack to occur. According to the article at Praetorian Prefect, the vulnerability has been public knowledge for days and Twitter has already been notified. At the moment, the hack still appears to be fully functional.
Twitter said that they “are aware of the issue, have fixed it for new applications and are working to fix it for all applications.” Luckily, this seems to be another case where a security hole was found, reported, and fixed before any havoc could be wrecked across the Internet.