Thursday, July 31, 2008


Twitter can be abused to send SPAM emails with links to potentially malicious websites.
This can be done because of the way Twitter sends mails to the users, and because twitter does not sanitize the full name of the user.
So, if for example, an attacker sets his full name to and follow his victim, the victim will get an email. Now, because Twitter sends the email as “plain text”, the attacker’s name will be a clickable link. A *potentially malicious* clickable link.

Twitter security team was notified on 26-July-2008.
Twitter fixed this vulnerability on 31-July-2008.
Note that now you cannot use a dot in your full name (e.g. Bill.Gates). This will bring an error: "Name must not contain URLs".


Anonymous dblackshell said...

well they could use better input check rather than just verify for a dot (or more)... because the following url is also a valid one...
http://1089059683 (google)

September 10, 2008 1:59 PM  
Anonymous Anonymous said...

Hi I would like to know how this works: http://1089059683
I can hardly remember how, all i can recall is that it has something to do With the DNS if Im not mistaken...


April 28, 2009 8:28 AM  
Blogger STRSHR said...


June 16, 2009 10:23 AM  

Post a Comment

<< Home