Twitter Worm Threat Puts Social Media Security in the Spotlight

by Tina Kells | March 23, 2009 at 09:41 am

138 views | 3 Recommendations | 0 comments

Twitter is THE microblogging site du jour and the soaring popularity of this social network makes it a prime target for hackers and other dubious web types hoping to make a name for themselves. After becoming the target of clickjacking in the past critics of Twitter's security measures have come forward to expose a new threat; a Twitter worm.

It's easy to see why security professionals may be worrying about the state of security at Twitter - the company has had some rather high-profile incidents as of late. Only last month, a second clickjacking attack was revealed after the company had just finished patching one that was unveiled in January. Also in January, the accounts of 33 high profile Twitter users including Britney Spears, CNN news reporter Rick Sanchez, and Barack Obama, were compromised by hackers who defaced their accounts with embarrassing and offensive messages.

At the time, Graham Cluley, senior technology consultant at Sophos advised Twitter "to take a long hard look at its security to ensure that this never happens again, and regain the confidence of its members." Yet since then, more potential attack vectors have been revealed.

The Twitter worm is not a real threat but a theoretical one designed as a friendly warning to TPTB at Twitter. Twitter is not uder any sort of worm attack... yet. However, developers of the Twitter worm warn that unless the security issues that make Twitter vulnerable to their worm are addressed, it is only a matter of time before a real attack occurs.

The attack, posted online here, first displays a warning message and then posts Secure Science's test code "@XSSExploits I just got owned!" to the victim's profile. But if a hacker wanted to use this technique to compromise users' PCs, they could remove the warning screen and combine the link with a sensational message which users couldn't help but click. Add in some browser attack code, and before you know it, clicking a Twitter link could allow a hacker access to your computer. This, says James, "would just tear the cr*p out of Twitter." He adds, "I'm holding my breath, hoping no one does something stupid at this moment."

According to Secure Science researchers, this particular bug can be eliminated by fixing the cross-site scripting flaw, but if another similar bug were to show up on the site, users would soon face the same problem all over again.

Still, one has to wonder, why are they publishing this information publicly instead of alerting Twitter directly? Apparently, it's because the research company is concerned Twitter is not taking security seriously enough. James says he hopes this demonstration will push Twitter into making it more of a priority.