Twitter Web might not be safe anymore and users may want to consider only tweeting and surfing through third-party applications for the time being. Yes, I know, there are all kinds of issues with using a third-party anything. And while I use and love TweetDeck and many are raving about Seesmic Desktop, you still need to give your Twitter user credentials away in order to use them. However, after the appearance of two worms on Twitter this weekend, users are faced with a choice between two evils -- taking a chance on third party apps and using the Twitter Web Interface.
There were two Twitter worms reported over the weekend:
- On Saturday, if a user happened to land on an infected Twitter profile page from Twitter Web, that user's profile became infected as well. The worm would take over a user's account and use it to spam out promotions for StalkDaily.com. A 17-year-old New Yorker named Mikeyy Mooney allegedly claimed responsibility for this worm.
- Today, it was reported by Mashable that a second worm actually named "Mikeyy" was hitting Twitter. According to the report the "Mikeyy" worm posted messages to Twitter streams using the same technique as StalkDaily. One of the messages even mocks Twitter for it's security flaws: "Twitter should really fix this..."
These only impacted Twitter users surfing profiles via Twitter Web. While both of these worms were only used for a sort of Twitter "adware" there's a much bigger issue at hand. It doesn't matter that these worms weren't malicious. What matters is that there's a door open that Twitter seems incapable of closing. The microblogging service reported on Saturday evening that it had fixed the issue. Clearly, given the prevalence of today's worm, that was either untrue or they are in over their heads.
"Somebody is apparently bent on egging the Twitter property on a repeated basis," said Damon Cortesi of Alchemy Security. "It would seem Twitter has fallen prey to focusing on features and doesn't have a reliable and repeatable security process in place to help prevent security bugs."
Cortesi concurs that these attacks are more nuisances than anything, but also states that given the flimsy nature of Twitter's security a motivated criminal could take advantage of a similar attack to do more damage.
"Security is an ongoing piece of maintenance in software development and needs to be continually addressed as new attack vectors and issues are discovered. As projects get more complex, so do the potential attacks," Cortesi said. "Strong software development process that includes continual security review and testing is necessary to protect from current and future attacks."
Why does this keep happening?
"Where's there is software, there are bugs. Twitter has a limited number of input vectors, as opposed to a site like MySpace that allows users to customize their HTML and CSS to a greater extent," Cortesi continued." That being said, if a new method of encoding some parameter is identified that can bypass current filters, it's possible. A bug in the framework (Ruby on Rails) that powers Twitter's front-end could also make this a possibility. Various site upgrades and code changes can also introduce bugs."
Of course, third party applications are just as -- if not more -- susceptible to these types of security issues. It's quite probable that attackers will go after these types of Adobe Air applications, if they haven't already, to obtain access to users' accounts through the Twitter API. Cortesi points out that third-party services used on Twitter are vulnerable as well, such as Twitpic and URL redirectly services.
"It's likely that they are just as occupied as Twitter simply trying to keep their services running and add new features," he said. "While other sites deal with cross-site scripting on a regular basis, social networking sites are at much more of a risk due to the typical way that users interact. It's a scary day when viewing somebody's profile can take over your browser."
Twitter co-founder Biz Stone posted a blog today detailing the worm attacks and stating that the company is taking this very seriously:
We are still reviewing all the details, cleaning up, and we remain on alert. Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future. We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.
However, user trust in Twitter's security is justifiably diminished, especially after this weekend. It's unlikely that many , or any, users will stop using the service based on these issues, which is exactly what attackers are counting on. And as Twitter becomes more popular and more high-profile individuals and entities continue to sign on, the company has an increased level of pressure and responsibility to get its security act together.