A graduate student from Switzerland has just developed a frightening, real-world exploit on Twitter that takes advantage of a newly discovered security hole in the secure sockets layer (SSL) protocol of the social networking site. Anil Kurmus's personally crafted exploit is a major breakthrough and security risk because it can effortlessly target the purported SSL renegotiation vulnerability to pilfer Twitter login information that's delivered through encrypted data streams.

When the bug was first discovered two weeks ago, many researchers believed it to be a abstruse issue with little impact on the general scheme of IT security. Critics argued adamantly that the protocol bug was too hard to take advantage of and produced extremely unpromising results compared to other bugs out in the wild. These experts' skepticism isn't way off, of course; even if hackers were to inject a miniscule amount of text at the start of an approved SSL operation, they'll probably be hard-pressed to discern encrypted data that traveled through the data stream of two parties.

Nevertheless, despite those boundaries and restrictions, Kurmus managed to exploit the bug in order to appropriate Twitter passwords and usernames as they moved between client software and the social network's servers despite the fact that they were encrypted at the time. The frighteningly ingenious junior hacker made all this possible by injecting code that made Twitter's application protocol interface load the material contained within the Internet request to a Twitter message once they've been decrypted, which rendered the whole encryption security measure null and void.

Kurmus says that the whole point of his undertaking is to demonstrate just how easy it is to steal data using the supposedly impenetrable encrypted data streams. After all, even with encryption, there's a point where the encrypted data will have to be decrypted, so using Twitter's services against it seemed to do the trick.

The Zurich-based hacker who'd just finished his master's thesis at the Eurecom Institute further alleges that there's a high possibility that hackers have been using the same technique as he had, but concealed it so that the bug will remain unfixed. He made his point so that the IT community would take the susceptibility a lot more seriously. At any rate, Twitter eventually closed the security hole earlier this week in response to Kurmus's actions.