April 12th, 2009
Lesser of two security evils: Twitter Web or third-party clients?
Twitter Web might not be safe anymore and users may want to consider only tweeting and surfing through third-party applications for the time being. Yes, I know, there are all kinds of issues with using a third-party anything. And while I use and love TweetDeck and many are raving about Seesmic Desktop, you still need to give your Twitter user credentials away in order to use them. However, after the appearance of two worms on Twitter this weekend, users are faced with a choice between two evils — taking a chance on third party apps and using the Twitter Web Interface.
There were two Twitter worms reported over the weekend:
- On Saturday, if a user happened to land on an infected Twitter profile page from Twitter Web, that user’s profile became infected as well. The worm would take over a user’s account and use it to spam out promotions for StalkDaily.com. A 17-year-old New Yorker named Mikeyy Mooney allegedly claimed responsibility for this worm.
- Today, it was reported by Mashable that a second worm actually named “Mikeyy” was hitting Twitter. According to the report the “Mikeyy” worm posted messages to Twitter streams using the same technique as StalkDaily. One of the messages even mocks Twitter for it’s security flaws: “Twitter should really fix this…”
These only impacted Twitter users surfing profiles via Twitter Web. While both of these worms were only used for a sort of Twitter “adware” there’s a much bigger issue at hand. It doesn’t matter that these worms weren’t malicious. What matters is that there’s a door open that Twitter seems incapable of closing. The microblogging service reported on Saturday evening that it had fixed the issue. Clearly, given the prevalence of today’s worm, that was either untrue or they are in over their heads.
“Somebody is apparently bent on egging the Twitter property on a repeated basis,” said Damon Cortesi of Alchemy Security. “It would seem Twitter has fallen prey to focusing on features and doesn’t have a reliable and repeatable security process in place to help prevent security bugs.”
Cortesi concurs that these attacks are more nuisances than anything, but also states that given the flimsy nature of Twitter’s security a motivated criminal could take advantage of a similar attack to do more damage.
“Security is an ongoing piece of maintenance in software development and needs to be continually addressed as new attack vectors and issues are discovered. As projects get more complex, so do the potential attacks,” Cortesi said. “Strong software development process that includes continual security review and testing is necessary to protect from current and future attacks.”
Next: Why does this keep happening? –>
Pages: 1 2
Jennifer Leggio, aka "Mediaphyter," writes about the "social business" side of social media - including enterprise, security and reputation issues. See her full profile and disclosure of her industry affiliations.
For daily updates on Jennifer's activities, follow her on Twitter.
Subscribe to Social Business via Email alerts or RSS.
