UPDATED 15:29 EST / AUGUST 25 2009

A Potentially Massive Security Hole in Twitter Uncovered


The team at David Naylor Search Monitoring today uncovered what is potentially a truly massive security hole in the Twitter API. They describe it simply and succinctly in their blog post on the topic:

So as I’m sure everyone heard about the other day, Twitter recently added rel=nofollow to links produced by their API (e.g. the client you used to send the tweet). I was playing around with some settings today and noticed something interesting.

If you change the link in the application settings, it affects all of the historical tweets generated by the application. So it’s pretty quick and easy to experiment with different URLs and see what happens.


Oh, no, wait. It works. A clean, followed link out of Twitter again. Isn’t that nice?

Actually, if they were that stupid… what’s to say I couldn’t drop some other content in there? Yup, that works too.Take a look for yourself. Do I hear anyone saying “cross-site scripting”?

If I was going to be mean, I could have made that JavaScript steal your login cookie and send it to us. Or maybe to someone else? Perhaps I could drop a few trending hashtags in there and see how many people look at my tweet. Or worse – why not use Twitter’s own handily-available API to, I dunno, post a few tweets?

Any Twitter application developers out there I wonder? Maybe I could be more subtle about it, just drop a script in there that goes to their application settings page and changes their URL to drop some malware links around the place.

As it turns out, the account that demonstrates the vulnerability has been terminated by Twitter, but the security hole, as of yet, has not been plugged.

If the language above is a bit too much developer-speak to understand, here is the lay version: the API that is used by Twitter to set meta-data on Tweets, like what an application is called, is vulnerable to being re-written by virtually anyone using the method he describes. 

Code, potentially malicious code, is able to be inserted in that field.  If an unsuspecting user were to click on the page where the Tweet lives on Twitter’s server, it has the potential of running the unauthorized code on the users machine, which has all sorts of devilish possibilities, as they described in their post.

The David Naylor team is promising a video tomorrow that demonstrates the vulnerability.

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.