James Slater found a cross-site-scripting vulnerability on Twitter.com which Twitter claims is now fixed. According to James, it is not fixed. The vulnerability allows malicious JavaScript to be embedded with user tweets. This can result in user accounts being compromised and the owner can loose control of their account.
The vulnerability comes down to Twitter’s application programming interface (API) that allows developers to interface with Twitter through their own software. Popular software packages like Twirl, TweekDeck, and HootSuite use this API to create and read posts on behalf of the user. The API does not filter the url of the applications using Twitter, allowing malicious JavaScript to be sent along with the URL.
This threat is almost impossible for the average user to protect against, as just seeing the tweet is enough to have your account taken over. Twitter’s response to this vulnerability was to filter out space characters from the address box in the application, but this only makes it slightly more difficult.
More information about this vulnerability can be found on David Naylor’s site. David Naylor is a well known search marketing consultant who broke the news to Twitter.
