Another Hole In The Twitter Armor Discovered

The security hole appears to only affect private messages, and who uses Twitter for that, right?

Apparently I’m behind on this aspect of Twitter, as I was not aware that there was the possibility of privacy with Twitter – it sort of defeats the purpose, doesn’t it?

The news of the defect comes from Neowin

Twitter may be suffering from yet another embarrassing software security vulnerability, according to SearchEngineWatch.com. Apparently, if you use you Twitter credentials to log in to a third-party website, that site could gain access to your private direct messages. Gary-Adam Shannon, in a technical demonstration using WordPress and the Twitter API, shows how a small code change in the API code can send direct messages of logged in users directly to your email inbox of choice. Twitter has yet to comment on the vulnerability. For now, Shannon recommends not letting Twitter log you in to applications.

This vulnerability is the latest in a steady stream of embarrassing and crippling bugs in Twitter’s platform that seem to be popping up more and more often recently. As more visible vulnerabilities surface, more security pros will likely hop on the bandwagon to try and further exploit Twitter. This isn’t a bad thing, as the new attention being thrust on the software engineers at Twitter will (hopefully) make the service safer and more reliable in the future.

Twitter will have to get better, but I seriously wonder if the security should be first concern. There seems to be many times of the day when the Twitter servers seem overtaxed, and unable to do anything but throw errors. The first thing I would do, other than beef up the server farm, would be to design a more graceful error handling routine.

In early May this year, Twitter users were able to force others to follow them with a simple command inside a tweet. Twitter was quick to act over the flaw. The company issued a status message indicating that the bug was remedied and that protected updates did not become public as a result of the "bug". This latest flaw comes less than a month after the company fixed a fatal scripting vulnerability that brought the web version of Twitter to a halt for several hours on September 21.

If this latest bug is anything like the previous ones, Twitter will likely jump on this and fix it rather quickly. We’ll keep you posted as details emerge.

While the fix is in the works, it will be good that the flaw is being made clear to those that might be affected. Perhaps a few private tweets will help spread the word.

§

Download Opera – A faster and more secure Web browser.



®