Researcher reveals Twitter 'follow' bug

Phishers and scammers can bombard users with links to malicious sites

Attackers can exploit a bug in Twitter to force victims to follow the hacker's account, a security researcher said Thursday.

According to Aviv Raff, the Twitter vulnerability could expose users to malware-hosting Web sites. "It can force people to follow you, which means all your twits will be showed in their Twitter home page -- including potentially malicious links," Raff said during an interview conducted via instant messaging.

On a site dubbed "Twitpwn" that he launched Thursday to report research he's done on the social networking and micro-blogging service, Raff spelled out only the basics. "Twitter security team was notified on 31-July-2008," he said on the site. "Technical details will be added as soon as this vulnerability will be fixed."

Twitter will have a fix in place by Friday, Raff added.

An attacker can currently leverage the bug by tricking users into clicking on a link on a malicious or hacked Web site. From that point, the victim's Twitter account is automatically set to follow the attacker's.

On Twitter, "following" another means receiving all updates, or "tweets," sent by the other user. Those tweets are collected and displayed on the following user's Twitter home page, or on their phone or in their instant messaging client.

This Twitter bug is the newer of a pair that Raff has found on the service. Last week, he reported another vulnerability that allowed spammers and phishers to send e-mails that included links to malicious sites to other Twitter users. Twitter patched that flaw today.

Expect more Twitter research, Raff said. "I'm working on several ways to abuse Twitter as a platform [and I'll] publish my research in this blog when I'm done," he said, referring to his Twitpwn site.

Raff is better known as a browser vulnerability researcher, notably for his part in May in uncovering a threat posed by the "carpet bomb" bug in Apple's Safari to users of Microsoft's Internet Explorer. Most recently, he warned of several bugs in Apple's iPhone that could be used by phishers to dupe users into visiting malicious sites or by spammers to flood the phone's in-box with junk mail.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?