SSL Vulnerability in Twitter
A graduate student from Switzerland has just developed a frightening, real-world exploit on Twitter that takes advantage of a newly discovered security hole in the secure sockets layer (SSL) protocol of the social networking site.
Anil Kurmus's personally crafted exploit is a major breakthrough and security risk because it can effortlessly target the purported SSL renegotiation vulnerability to pilfer Twitter login information that's delivered through encrypted data streams.
Critics argued adamantly that the protocol bug was too hard to take advantage of and produced extremely unpromising results compared to other bugs out in the wild.
These experts' skepticism isn't way off, of course; even if hackers were to inject a minuscule amount of text at the start of an approved SSL operation, they'll probably be hard-pressed to discern encrypted data that traveled through the data stream of two parties.
Twitter Vulnerable to SSL Attacks
Nevertheless, despite those boundaries and restrictions, Kurmus managed to exploit the bug in order to appropriate Twitter passwords and usernames as they moved between client software and the social network's servers despite the fact that they were encrypted at the time.
The frighteningly ingenious junior hacker made all this possible by injecting code that made Twitter's application protocol interface load the material contained within the Internet request to a Twitter message once they've been decrypted, which rendered the whole encryption security measure null and void.
After all, even with encryption, there's a point where the encrypted data will have to be decrypted, so using Twitter's services against it seemed to do the trick.
He made his point so that the IT community would take the susceptibility a lot more seriously.
At any rate, Twitter eventually closed the security hole earlier this week in response to Kurmus's actions.