Once the infected message is sent to you and you see it from the twitter web interface, the attacker can exploit the flaw. If your browser allows running Javascript, which you probably let it do, since so many web sites need such extensions to deliver the "rich" experience we have all come to expect, the browser can run a malicious Javascript program on your computer. Anything that twitter can do, the attacked can do by exploiting this flaw. In fact, you don't even necessarily have to allow your browser to run code to be at risk as any flaw exploitable via html links can cause the issue.
Because the twitter flaw allows code to be run, the attack can use it to create a worm, where the attacker puts up one infected message and gets one user to read it via the web, takes over that user to copy the infected message to that users account where it spreads to other users.
The malware criminal can also make the attack more subtle so that they steal information from your computer silently without you realizing you've been attacked.
Fortunately, the original discoverer of the flaw, David Naylor, instead of doing something evil posted this blog with advice and just used it to pop up this image to make the warning clear:
The good news is that the folks at Twitter have been made aware of the issue and are presumably working on a fix (and not just the patch they originally tried to bandage over the problem) and that the folks at Mashable are also aware of the issue to keep the media spotlight focused on the problem until it is addressed.
One can expect that it will take time before a complete fix is in place given how twitter first attempted to solve it, by simply disallowing spaces in the problem field. This is the opposite of the draconian but trivial fix that more conservative companies might have tried, such as disabling the feature entirely or limiting the feature to a known white-list of values, both of which would have been significantly more secure, but would have essentially crippled that aspect of twitter.
The approach that twitter has taken thus far suggests that they will attempt to do the minimum necessary to correct the problem. That is a difficult line to draw. However, each step they make in that direction will give us additional protection by making it harder to exploit.
That is the nature of most security measures, they aren't absolute protection, they just make exploiting the weaknesses sufficiently difficult that it isn't worth doing. When that point is reached, we are "safe enough".
While we are waiting for it to become safe enough, we pedestrians have to be very careful.
- Avoid using the twitter web interface until you know this issue is fixed.
- If you are more cautious, you may wish to unfollow people whose motives you doubt or whom you may fear are infected--although there are no known infections that exploit this flaw yet.
No comments:
Post a Comment