Twitter pulls Flash feature over security concerns

A security researcher has demonstrated the use of a Flash-based Twitter widget to hijack user accounts
Written by Matthew Broersma, Contributor

Twitter has temporarily disabled a feature based on Adobe Flash, after a security researcher demonstrated the feature could be used to hijack user accounts.

"We've been notified about a vulnerability in our Flash widget and out of an abundance of caution we've disabled access as we assess the situation," Twitter said on Friday in an update on its status page.

The company said it was not aware of any attacks that had been carried out using the vulnerability.

Mike Bailey, a senior security analyst with Foreground Security, demonstrated the flaw on a dummy Twitter account on Friday. Bailey used an XML file hosted on his server to exploit the weakness and cause the dummy Twitter account to display: "@mckt_ just pwned my Twitter account. Neat."

The exploit required that a user click on a link while logged in to Twitter, according to Foreground. As a result, Bailey was able to steal the user's session credentials, giving him full access to the account.

The problem is with a Flash-based widget used to display Twitter updates on websites, according to Bailey.

Twitter said the problem does not affect the JavaScript version of the widget. "Please note that the JavaScript widgets are unaffected and are a good alternative for those of you who had been using the Flash version," the company stated.

Bailey demonstrated the Twitter bug ahead of a talk called 'Neat, New and Ridiculous Flash Hacks' that he is scheduled to give at next month's Black Hat security conference in Washington DC.

Editorial standards