Twitter turns blind eye on security risk, takes closer look Down Under

As Twitter begins to focus on Australia for a possible expansion, it has glossed over a quirk that could allow attackers to take partial control of accounts.
Written by Michael Lee, Contributor

A feature intended to make life simpler for Twitter users, by automatically allowing them to follow back users without logging in, has opened up certain accounts to abuse by attackers.

If a user desires, Twitter can regularly send an email to users if they receive new followers. Users can follow their new followers back by clicking on the respective link in the email. This link contains information about the user, the person they are attempting to follow, and a unique key. When no user is logged in to Twitter, the key associates the owner of the account it is tied to with the follow action, allowing the owner of the email account to quickly and conveniently add the new follower without having to be signed in.

The links do expire after a few days; however, it means that if this email is made public, anyone can add or remove followers if they search for known text in the email and are not logged in themselves. This Google search, for example, shows a number of sites that in the past week posted the email notification.

Timed correctly, a spammer could follow a user, wait for the email to be published, and then forcefully follow themselves back.

Furthermore, the notification email also includes links to disassociate the email address with the account. Navigating to the link reveals the user's email address, and disassociating it prevents the user from receiving future notifications or being able to reset their password without help from Twitter.

It appears that Google is also indexing some of the unique keys necessary to perform "intents" such as following users, retweeting, and marking a tweet as a favourite.

The majority of these intents are to follow a user, but ZDNet has seen a handful that could result in a user being forced to retweet or favourite another tweet.

ZDNet informed Twitter of the issue on November 9, and the Twitter Security Team was able to reproduce the behaviour. However, it has now chosen not to make any changes to its underlying code.

"After examining this issue, we've decided that this is a low-risk issue and we're not going to make any changes to Twitter at this time to address this issue. Users shouldn't be posting their emails on web pages, but even in this case, we have some mitigations in place; for example, the links in the emails expire," the company wrote in response to the issue report.

"There is always a trade-off between security and usability, and in this case we feel, given the mitigations put in place, these emails are worth the risk."

Twitter also appears to be ramping up its presence in Australia. It recently opened an official Twitter account, @TwitterAU, and began verifying the accounts of Australian journalists. The increase in activity has led to speculation that the company will be opening an Australian office.

The Australian reported that Twitter will have a local office this time next year, run by six staff; however, Twitter has remained silent on what it has planned for Australia.

This week, it sent its head of International Development Mike Brown to Australia to meet with sports and entertainment professionals in Melbourne over an invite-only breakfast briefing that will be held tomorrow. Brown is expected to discuss where the company is headed in Australia, and will be joined via video with the company's head of Twitter sports and entertainment team Omid Ashtari and Twitter UK's head of sport Lewis Wiltshire.

Twitter has requested that no media attend the event, but it is likely that news from the event will find its way out, with one of the hosts behind the Melbourne breakfast event, Sean Callanan, encouraging others to listen out for the #twitterbrekkie hashtag tomorrow.

In comparison, Twitter only opened its new offices in South Korea last month. The official @Twitter_kr account opened some two years earlier, on November 16, 2010.

Editorial standards