Oops! Now-fixed Twitter vulnerability made it easy as pie to steal passwords

twitter code

According to TheNextWeb, a dangerous flaw in the design of a Twitter page was enabling plain text passwords to be passed from the user to Twitter’s servers. In other words, a hacker wouldn’t have had to do much to intercept your private login information.

The security vulnerability was caught by Zohar Alon, CEO of cloud security company Dome9. The issue stems from what looks like an oversight on Twitter’s part for forgetting to use the HTTPS protocol in the drop down login menu on the detail page of a tweet. If you’ve ever logged in through a page that displayed a standalone expanded tweet on Twitter’s site, you were logging in by sending plain, unencrypted text passwords to Twitter’s servers.

twitter is unsecure

HTTPS, unlike HTTP, facilitates “secure” logins that obstruct man-in-the-middle attacks. This way hackers can’t intercept your login information in between the time that you click on “Sign In” and Twitter’s servers receive the login request.

Facebook started switching its users over to HTTPS from HTTP in November in an effort to improve its security efforts, at the risk of a slight lag in performance. The lag, at least for us, is unnoticeable — and the benefit of keeping your account safe seems to far outweigh it. 

TheNextWeb reports that Twitter “looked at the potential vulnerability and addressed it,” which we assume means the team has patched the hole. What’s unclear though is if anyone has taken advantage of this vulnerability, and Twitter isn’t sure how long this vulnerability has been available to hackers. 

In many instances Twitter has been notorious for failing to respond to obvious security issues. Between the rampant spam bots and breaking in and selling off of accounts, the social network has had its hands full.