Thursday, July 31, 2008

Coming up: Auto-follow-me vulnerabilty

Twitter suffers from a vulnerability which allows an attacker to force his victim to follow him automatically.

Twitter security team was notified on 31-July-2008.
Twitter partially fixed this vulnerability on 01-Aug-2008. The vulnerability can still be exploited on Internet Explorer. Users of other browsers are safe.
Twitter delivered a fix for IE on 04-Aug-2008. Fixed was verified on 11-Aug-2008(sorry, BlackHat/Defcon duties).

Technical details will be added soon...


Twitter can be abused to send SPAM emails with links to potentially malicious websites.
This can be done because of the way Twitter sends mails to the users, and because twitter does not sanitize the full name of the user.
So, if for example, an attacker sets his full name to and follow his victim, the victim will get an email. Now, because Twitter sends the email as “plain text”, the attacker’s name will be a clickable link. A *potentially malicious* clickable link.

Twitter security team was notified on 26-July-2008.
Twitter fixed this vulnerability on 31-July-2008.
Note that now you cannot use a dot in your full name (e.g. Bill.Gates). This will bring an error: "Name must not contain URLs".


This blog is intended to log all past and current vulnerabilities and weaknesses in Twitter.

Feel free to submit new vulns to
All submitted vulnerabilities will be fully credited when posted.