Most times it makes little sense to implement high security features for services that do not deliver sensitive content. The original concept behind Twitter was to simply deliver short text messages with little value and at first glance, a Twitter account does not seem to have much value. Twitter accounts are free and the only information that you send out using Twitter is supposed to be small talk (eg. “Made lemon vanilla cupcakes with..”).
However it didn’t take too long for politicians, organizations and consultants to start using it in their marketing strategies or as a way to stay in touch with a large number of people. Whenever a well known media personality joined Twitter (such as Oprah), a large number of fans would follow. As people and organizations started relying on the service more and more, Twitter’s value increased, while the level of security did not change much. During the US presidential elections, politicians used Twitter as a way to quickly update the public about the latest news. Some people might also exchange information that is sensitive in nature by making use of the private message feature. There are also payment methods that rely on Twitter such as Twitpay and Tipjoy. Twitter was never meant to be used as a payment service, yet people started creating ways to do just about that.
When security is given little importance from the start, web applications have a tendency to have vulnerabilities. In the recent months, Twitter has taken quite a beating when it comes to security. The service has been host to worm attacks, spammer and malware content. What sorts of vulnerabilities were exploited.
XSS worms were not the only problem that Twitter faced. Some accounts on Twitter have more value than others, such as Barak Obama’s or Britney Spear’s twitter account. When these high profile accounts were compromised, the attackers could reach thousands and millions of followers and send them ‘funny’ messages as well as link to malicious code. These high profile accounts were compromised due to a weak password used by Twitter’s own support.
Then there are attacks that many other popular services are vulnerable to. Phishers have been known to target Twitter accounts where people receive direct messages on twitter linking to web pages that appear to be a Twitter login screen. When it comes to encryption, Twitter still does not enforce encryption by default. Even if one chooses to use HTTPS instead of HTTP, Twitter is still vulnerable to Surf Jacking and similar attacks that can downgrade an HTTPS session to HTTP and allow attackers to hijack Twitter accounts. Finally, spammers have acknowledged the value of Twitter and started using it as another platform to conduct their unsolicited “business”.
One lesson that we should have learnt by now is that for services, such as Twitter, that have potential for growth, security becomes an issue sooner or later. If it is not taken seriously from the start, then it will be much more expensive and generally harder to implement security once the service has taken off. In the case of the XSS worm, the vulnerability appears to be a classic XSS. Such vulnerabilities could be easily found through both automated testing and manual approaches. It would be a mistake to assume that such a web service only needs to be tested once. Websites, especially social networks are dynamic, alive and constantly changing. Any code or feature updates can introduce new security flaws and therefore periodic security reviews are required if such a service is to take security seriously.
网站名称：☆Obaby's H4cking W0rld☆
I am just searching for a new job,if u would like to provide one please send me an Email!
Any suggestion just Click this!
Subscribe in a reader（订阅本站文章）
作者：obaby来源：☆Obaby's H4cking W0rld☆
- 小熊远控2009 5.3 Release版
- QQ强制聊天器 批处理代码
- LibFetion 1.0 alpha 版本(Windows)
- 远程控制任我行 V10.5 绿色版 该版本拥有正向连接与反弹连接功能
- [国内BT]Windows 7 Build 7127 x86 官方简体中文二次封装
- 女生上课上网语音聊天 老师请她改打电话
- Windows Media Center 插件--在线 MTV
- 九城紧急维护魔兽世界 究竟会将魔兽国服领向何方
- 文件同步 GoodSync
- 电波怒汉万峰骂评杭州富家子飙车案 ZZ
- Friday Top 5: Most Reported Countries (Inaccessibi...
- www.google.co.ma HACKED
- 文件夹背景 Delphi源码
- Opera 10.0 Build 1491 Alpha
- 黑客盗取美国弗州830万人病历 勒索1000万美元
- Botnet probe turns up 70GB of personal, financial ...
- 中国最美女黑客现身网络 自曝月入15000元
- Hackers Break Into Virginia Health Professions Dat...
- DreamMail 184.108.40.206 两年后回归
- 我奋斗了18年不是为了和你一起喝咖啡 (zz)
- Learning from other's mistakes: Twitter Security
- 暴风影音 mps.dll OnBeforeVideoDownload()
- ▼ 五月 (55)