Twitter site still plagued with many security issues
September 23, 2010
If you're thinking that Facebook is the only social site with Internet security issues, think again!
Now Twitter said it identified and fixed some cross site scripting holes that led to a meltdown on August 10, only to undo this fix with a later web site update. Again.
It's becoming clearer now that on average, social sites aren't secure, and these latest security flaws being discovered are troubling. And if it isn't security bugs, it's privacy issues that users seem to be facing more and more these days.
So now some users are asking: is all of this really worth it? Am I wasting my time and energy on something that isn't worth considering, given all the security issues.
But wait-- it even gets worse.
The security flaw was mostly used for mischief but there were incidents of porn and shock site redirects as well, Internet security researchers say. A worm, without a malicious payload, took advantage of the vulnerability to cause users to retweet their original Tweets after they rolled their mouse over a link, and then creating hundreds of thousands of spam message in the process, on top of creating other issues.
Only surfers using Twitter.com were exposed to the vulnerability. Third party clients were unaffected, at least for now. We will keep you updated however, if the situation should change.
A Japanese Web application developer called Masato Kinugawa is credited with discovering the security hole in August and used it to post multi-coloured rainbow tweets. Then, Scandinavian app developer Magnus Holm developed at least one of the "worms" that took advantage of the security vulnerability.
Holm created the worm to test what was possible, but not expecting much that his creation would spread so quickly either. In fact he was astonished at the speed the exploit was travelling at.
For its part, Twitter said that while the attack created a huge amount of spam and confusion, no greater security threat was posed and users of compromised accounts need not change their passwords.
However, both Kinugawa and Holm all disagree on Twitter's comments, and some say Twitter isn't proactive enough in the matter.
Up to 500,000 users (about 100 per second) may have fallen victim to the cross site scripting attack, according to an analysis by Kaspersky Labs. And other similar security firms agree.
"Overall, there is no need to change passwords because user account information wasn't compromised through this exploit," Twitter has reassured users in a blog post written after the security breach.
Source: Masato Kinugawa.
You can link to the Internet Security web site as much as you like.