January 22, 2010
Twitter Hole Open for Hackers
Twitter has a hole in its coding which potentially exposes millions of accounts to malicious hackers. A security expert based in Florida says he has found a security flaw in Adobe Flash which could allow hackers to see the passwords of Twitter users. Senior security analyst Mike Bailey of Foreground Security in Orlando says he found a problem in the way Twitter's website is coded which could allow hackers to exploit a well known vulnerability in Flash. Adobe has known about the exploit since it was originally found in 2006 and has taken steps to inform programmers on how to handle it. Adobe has also posted warnings for webmasters who use Flash however many do not know about them. According to Bailey, it shouldn't take Twitter too long to fix the problem by slightly altering the way its website is coded. Twitter might by now have already fixed the problem. Bailey claims to have informed the company and plans to discuss his findings at the Black Hat DC Security Research Conference in early February. Ominously, he says that the microblogging service might have been vulnerable for over a year. If a computer security analyst in Orlando Florida could find an issue at Twitter, it's a safe bet that malicious hackers could as well. If they have chances are, you wouldn't know about it, even if you yourself got hacked. This type of exploit allows a hacker to access your password. Once the hacker has your password, they have your Twitter history and all the information contained within. If that information includes direct messages containing sensitive information, the hacker might have scored something. With the ability to spider freshly scraped databases of direct messages between users, sensitive information could easily be discovered. Fortunately, most hackers are keyboard warriors, not hardened criminals. They're not going to use your information against you. Unfortunately, some hackers know hardened criminals well enough to do a lot of business with them. There's not a lot of safety for hackers in ripping people off. Hackers compile information which they tend to sell to others or trade within their communities rather than use that information themselves. Hackers might steal the information but it tends to be their commercial accomplices, the criminals who actually go to the bother of using it to rip you off. In this case, a more likely scenario has the hacker pretending to be you. With your password, the hacker also has access to your account and can start Tweeting as you. By posing as a particular user, the hacker can prompt friends of that person to click on malicious links. Imagine the swiftness with which one posing as a popular person could create a rapidly growing bot-net using Twitter. Hackers might not perceive themselves as criminals but they do seem to enjoy making bot-nets. Bot-nets are also commercially traded between hackers and criminals. Given the publicity this story has generated in the past twelve hours, it is very likely the folks at Twitter have taken steps to fix the problem. At this time, we have not received replies from tweets to @twitter and to @biz requesting comment.