Learning from other’s mistakes: Twitter Security

Unless you have been sleeping under a stone for the past four years then you must have heard about Twitter in some way or another. The original idea behind Twitter was to provide a social network where everyone can tell followers what he or she is up to. The only restriction with Twitter is that each message has to be 140 characters or less.

Most times it makes little sense to implement high security features for services that do not deliver sensitive content. The original concept behind Twitter was to simply deliver short text messages with little value and at first glance, a Twitter account does not seem to have much value. Twitter accounts are free and the only information that you send out using Twitter is supposed to be small talk (eg. “Made lemon vanilla cupcakes with..”).

However it didn’t take too long for politicians, organizations and consultants to start using it in their marketing strategies or as a way to stay in touch with a large number of people. Whenever a well known media personality joined Twitter (such as Oprah), a large number of fans would follow. As people and organizations started relying on the service more and more, Twitter’s value increased, while the level of security did not change much. During the US presidential elections, politicians used Twitter as a way to quickly update the public about the latest news. Some people might also exchange information that is sensitive in nature by making use of the private message feature. There are also payment methods that rely on Twitter such as Twitpay and Tipjoy. Twitter was never meant to be used as a payment service, yet people started creating ways to do just about that.

When security is given little importance from the start, web applications have a tendency to have vulnerabilities. In the recent months, Twitter has taken quite a beating when it comes to security. The service has been host to worm attacks, spammer and malware content. What sorts of vulnerabilities were exploited.

Earlier this month, a large number of Twitter accounts started linking to a particular website (StalkerDaily). The reason? A worm was making use of a cross site scripting (XSS) vulnerability in Twitter. The vulnerability was in the account settings page, where victim browsers could be forced to update their profile URL to include javascript code within their page. This javascript code would then do its job as a worm and attempt to infect new Twitter users who visit the infected profile. The vulnerability appeared to be quite a standard XSS security flaw. Even when Twitter said that they initially fixed the flaw, new rounds of a modified worm were infecting Twitter users.

XSS worms were not the only problem that Twitter faced. Some accounts on Twitter have more value than others, such as Barak Obama’s or Britney Spear’s twitter account. When these high profile accounts were compromised, the attackers could reach thousands and millions of followers and send them ‘funny’ messages as well as link to malicious code. These high profile accounts were compromised due to a weak password used by Twitter’s own support.

Then there are attacks that many other popular services are vulnerable to. Phishers have been known to target Twitter accounts where people receive direct messages on twitter linking to web pages that appear to be a Twitter login screen. When it comes to encryption, Twitter still does not enforce encryption by default. Even if one chooses to use HTTPS instead of HTTP, Twitter is still vulnerable to Surf Jacking and similar attacks that can downgrade an HTTPS session to HTTP and allow attackers to hijack Twitter accounts. Finally, spammers have acknowledged the value of Twitter and started using it as another platform to conduct their unsolicited “business”.

One lesson that we should have learnt by now is that for services, such as Twitter, that have potential for growth, security becomes an issue sooner or later. If it is not taken seriously from the start, then it will be much more expensive and generally harder to implement security once the service has taken off. In the case of the XSS worm, the vulnerability appears to be a classic XSS. Such vulnerabilities could be easily found through both automated testing and manual approaches. It would be a mistake to assume that such a web service only needs to be tested once. Websites, especially social networks are dynamic, alive and constantly changing. Any code or feature updates can introduce new security flaws and therefore periodic security reviews are required if such a service is to take security seriously.

Share this post
  • Leave a Reply

    Your email address will not be published.


    *