Thursday, Aug 27, 2009    Text size: 

UK-based developer Dave Naylor revealed yesterday that malicious users can insert a simple bit of code into one of Twitter's text fields. These fields, boxes usually reserved for users to insert links, can simultaneously accept other kinds of code that can direct the site to steal cookies, create worms or otherwise propagate malware to Twitter's considerable user base.

Naylor, who specializes in search-engine optimization, discovered the error and alerted Twitter's brass. Today news has spread that the problem remains unaddressed.

"With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it," Naylor said. "Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets - and they are logged in to Twitter — their account could be taken over."

Naylor added that hackers have many options at their disposal for such malicious applications. They could conceivably redirect browsers to other destinations, erase all of a user's data or start spamming that user's contacts list.

According to online reports, Twitter officials never got in touch with Naylor to discuss the problem or a solution to it.

"In my opinion, it’s completely unacceptable that Twitter engineers never got in touch with Naylor to learn more about the exploit and adequately fix the problem, which the SEO consultant correctly marks a shame. Instead, the startup’s tech team apparently tried fixing it without really looking at the potential security issues," said tech analyst Robin Wauters of TechCrunch.com.

Last month, high-level Twitter officials had their accounts compromised by a hacker who figured out the answers to the security questions associated with their webmail accounts. In addition, word broke that Twitter's primary database was password protected with the code "password."