July 31, 2008, 9:34 PM — Attackers can exploit a bug in Twitter to force victims to follow the hacker's account, a security researcher said Thursday.
According to Aviv Raff, the Twitter vulnerability could expose users to malware-hosting Web sites. "It can force people to follow you, which means all your twits will be showed in their Twitter home page -- including potentially malicious links," Raff said during an interview conducted via instant messaging.
On a site dubbed "Twitpwn" that he launched earlier Thursday to report research he's done on the social networking and micro-blogging service, Raff spelled out only the basics. "Twitter security team was notified on 31-July-2008," he said on the site. "Technical details will be added as soon as this vulnerability will be fixed."
Twitter will have a fix in place by Friday, Raff added.
An attacker can currently leverage the bug by tricking users into clicking on a link on a malicious or hacked Web site. From that point, the victim's Twitter account is automatically set to follow the attacker's.
On Twitter, "following" another means receiving all updates, or "tweets," sent by the other user. Those tweets are collected and displayed on the following user's Twitter home page, or on their phone or in their instant messaging client.
This Twitter bug is the newer of a pair that Raff has found on the service. Last week, he reported another vulnerability that allowed spammers and phishers to send e-mails that included links to malicious sites to other Twitter users. Twitter patched that flaw today.
Expect more Twitter research, Raff said. "I'm working on several ways to abuse Twitter as a platform [and I'll] publish my research in this blog when I'm done," he said, referring to his Twitpwn site.
Raff is better known as a browser vulnerability researcher, notably for his part in May in uncovering a threat posed by the "carpet bomb" bug in Apple Inc.'s Safari to users of Microsoft Corp.'s Internet Explorer. Most recently, he warned of several bugs in Apple's iPhone that could be used by phishers to dupe users into visiting malicious sites or by spammers to flood the phone's in-box with junk mail.
