back to article Amateur goof makes Twitter account hijacking a snap

Twitter is sitting on an amateur configuration blunder that makes it trivial for attackers to take control of user accounts, a researcher said Friday. The error resides in an Adobe Flash object hosted on the microblogging site, said Mike Bailey, a senior security analyst with penetration testing firm Foreground Security. …

COMMENTS

This topic is closed for new posts.
  1. Shane 8
    Thumb Up

    NoScript FTW

    NoScript FTW !

    --nuff said

    1. Big-nosed Pengie

      Title

      Anyone not using it deserves all they get.

      1. sT0rNG b4R3 duRiD

        And the corrolary...

        Anyone using Twitter deserves all that they get.

  2. Dennis SMith
    Thumb Down

    Another reason

    for not being a twit.

    1. frank ly
      Headmaster

      A Minor Point

      In this use/meaning, the word is pronounced as 'twat'.

  3. Ammaross Danan

    NoScript good,....

    Not having JavaScript running on sites that require it? Bad. Talk about a long exception list....

    1. jackharrer

      reply?

      Yes, but in most of the cases you whitelist sites you go most often and then just add new ones as you crawl there. It's not optimal, I agree, but heck, that's how it works.

      I'd be happy to see a managed list (something like Adblock subscription list) with whitelisted domains. If somebody's paranoid, they can always disable it and go the old school way.

    2. Shades

      Believe it or not...

      ...most sites don't require JavaScript to be active for anything other than their OWN domain and/or CDN. The rest is usually just GoogleAds, Google Urchin/Analytics, and other advert serving companies. For instance, for El Reg, I only have register.co.uk allowed and the site remains FULLY functional. Google-Analytics.com, quantserve.com and doubleclick.net are definately not required and actually lead to a better layout of the site (no banners at the top of the page or mid story ads) as text often, if not always, re-flows to occupy the additional white space.

      I'm sure we can guess which kind of sites you're visiting if your getting JavaScript served from many different domains... and they're the exact kind of sites that you DON'T want to be allowing to serve you JavaScript from all over the shop!

      As a side-note I have noticed Google, being the devious b*stards they are, hosting JQuery scripts, which many sites rely on for "glitzy" functionality, from their analytics domain. I'm sure you can see the problem* with that.

      * Actually, its not so much of a problem as, for instance, sites that use a Google hosted JQuery "lightbox" scripts often just fallback to opening the image in a new window/tab so you don't actually need to allow Google Analytics for many sites to remain functional... if a little "old-school"! Google are just being evil by trying to "force" people to allow analytics!!

  4. This post has been deleted by its author

  5. heyrick Silver badge

    Twitter hack?

    So you can click a link to pwn Twitter once you're logged in to Twitter...

    ...does this mean you can only remotely pwn your own account, or anybodies account?

  6. Yet Another Anonymous coward Silver badge
    Boffin

    So what ?

    Since nobody over the age of 8 uses Twitter (except Steven Fry)

    This is going to have about the same effect as the security flaws on the Sinclair spectrum that allowed me to write

    10 print "Dixons is crap"

    20 goto 10

    All those years ago

    1. PirateSlayer

      Flash

      That won't flash, or go diagonally accross the screen will it? I demand you recode that!

      1. Dale Richards
        Boffin

        Come on...

        Where's your creativity? Where's your seizure-inducing colours? And the all-important line 40 to stop it from halting with the "scroll?" prompt when the screen gets full!

        10 RANDOMIZE

        20 LET x = INT(RND * 7) : LET y = INT(RND * 7) : LET z = INT(RND * 7)

        30 PAPER x : INK y : BORDER z

        40 POKE 23692, 255

        50 PRINT "Dixons is crap ";

        60 GOTO 20

        And they called it a mis-spent youth....

  7. Anonymous Coward
    Thumb Down

    > "This is not Adobe's fault,"

    Oh yes it fucking well is. No such thing as crossdomain.xml should even exist in the first place. It is an utterly misbegotten notion that totally fails to close down the fundamental hole that flash opens in the same-origin security model.

  8. Graham Marsden
    Flame

    Wow! So you can hack a twitter account...

    ... and then...?

    Who gives a fuck?!

  9. Phillip Webster
    Badgers

    Those moaning about Twitter

    Go back and re-read the article. It's other websites as well, Twitter was just an example. Although I agree it's an over-hyped service.

    Does remind me why I stick with FF despite it being a blundering memory hog these days (3.6 is a minor improvement). Still waiting on noscript-a-like support on other browsers (adblock+ and flashblock would be nice as well, but we can't have everything).

    1. Anonymous Coward
      WTF?

      No idea what you're doing differently

      but Firefox isn't a memory hog when I use it.

      1. Simon C

        firefox memory hog

        Actually the memory issue tends to be related to No-Script - as much as I love the blocking add-on, I do find I purge my whitelist every 12 months or so for a performance boost.

        Under vanilla operation FF runs about 20-30 meg,....currently with my NoScript whitelist it runs at 76. (whitelist contains about 280 entries)

  10. Mos Eisley Spaceport
    FAIL

    Twitter twatter twotter

    Please people, it's just more of the same web 2.0 crap.

    Walk away.

  11. Mr Templedene

    @Phillip Webster

    Opera has had content blocking (equivalent of ad-block) and the ability to control or disable javascript and plugins for ages.

    You can control it on a site by site basis as well.

    It's where the Firefox developers get most of their ideas from!

    1. Crazy Operations Guy
      Thumb Down

      Yeah, but...

      How about making the damn functions visible. People use NoScript since it sits on the bottom showing off its usefulness and being pretty easy to configure

    2. Phillip Webster

      Not with the same ease

      I know Opera has the ability to do much of this stuff, but it's not at the same UI level.

      For example, everything is disabled with these add-ons on Firefox, I visit a site, I get a few missing items and sometimes some scrambled content from where javascript has been used (usually unnecessarily).

      If I then want to enable javascript I have an icon in the bottom-right of the browser window I can click and choose the sites I wish allowed. Usually the site the page is on itself is the most likely to be safe and will fix almost all the issues.

      As far as I can tell, to get the same use out of Opera I need to go fiddling through the options to enable things each time I visit a site. I also need to know in advance which sites I need to allow (it's not always obvious where sites are getting their javascript, which is another advantage of noscript).

      In short, I acknowledge Opera has the ability, but it lacks the ease of use in this area.

      I do use Opera on occasion, same as I use Chrome and, if forced, IE. I just prefer the security package I currently have set up with FF for most browsing. Personal choice and all that. ;o)

      1. This post has been deleted by its author

  12. Jason Bloomberg Silver badge
    Joke

    Hyperbolic reaction

    "I can think of a million ways to use this as an attacker"

    And I've told him a million times not to exaggerate.

    Plus he's not an "attacker" and I've told him a gazillion times not to lie :-)

  13. Robert Carnegie Silver badge

    With Opera you only start having a problem when you enable JavaScript.

    But I agree, it is quite fiddly to enable Javascript for a site in Opera, then it takes a while to process the new instruction - that may be because I have about 100 web pages open, perhaps it goes through them all evaluating my new preferences.

    And then the web site still may not work with Opera. I think the main current gap is in support for dynamic thingies of some sort.

    But the problem isn't "Opera isn't safe from this".

    Then again, I think you also have to decide to disable Javascript in the first place...

  14. Al fazed
    FAIL

    Even No Script

    has it's off days and cannot be relied upon, unfortunately.

    I have come across a problem where NoScript installed in Firefox using a strange foriegn language, not English. Consequently, not much can be understood of the message content when it stops a script. Making it absolutely useless on my children's PC.

    Er, even the program writer has been unable to fathom out this one. Any takers ?

    And as for Firefox, you penguin heads might know why I cannot see the media player controls on my Myspace account. Flash Block isn't stopping the adds from playing, just the control panel ? NoScript would appear

    superfluous at this time.

    PS I'm using Ubuntu 9.04 and SeaMonkey is very wonkey too. Hence the use of Epiphany and Opera, the only browsers that actually work under my version of Linux. Sheesh !

    ALF

  15. Anonymous Coward
    Anonymous Coward

    Just a minor rant

    Out of the twenty two replies at the time of writing not one comment has addressed even vaguely the actual content of the article, with the possible exception of the first sentence from Phillip Webster. All I can see is the usual Twitter is crap, Twitter users are twats, they should use adblock plus turbo with go faster stripes type comments. I'm no stranger to asinine comments but once something has been said is there a need to repeat it. Please Ms.Moderator bring back the automatic response option.

    I can't contribute anything because I'm not knowledgeable enough but I wish those who are equally less gifted would STFU and let those who are actually say something constructive.

  16. Anonymous Coward
    FAIL

    Excuse me while I state the obvious

    Since no-one is interested in what anyone says on Twitter, who will read the "I've been pwned" message except other twats - some of whom may have just posted their own similar message...

This topic is closed for new posts.

Other stories you might like