Hackers are exploiting a bug in Twitter, which can compromise users accounts, according to a security researcher.
Aviv Raff said the Twitter vulnerability could expose users to malware-hosting websites. "It can force people to follow you, which means all your twits will be showed in their Twitter home page, including potentially malicious links," Raff said.
Raff launched the website Twitpwn to report the research he'd done on the social networking and micro-blogging service.
"Twitter security team was notified on 31-July-2008. Technical details will be added as soon as this vulnerability will be fixed," he said.
An attacker can currently leverage the bug by tricking users into clicking on a link on a malicious or hacked website. From that point, the victim's Twitter account is automatically set to follow the attacker's.
On Twitter, 'following' another means receiving all updates, or 'tweets', sent by the other user. Those tweets are collected and displayed on the following user's Twitter home page, or on their phone or in their instant messaging client.
This Twitter bug is the newer of a pair that Raff has found on the service. Last week, he reported another vulnerability that allowed spammers and phishers to send emails that included links to malicious sites to other Twitter users. Twitter has since patched that flaw.
Expect more Twitter research, Raff said. "I'm working on several ways to abuse Twitter as a platform [and I'll] publish my research in this blog when I'm done," he said, referring to his Twitpwn site.
Raff is better known as a browser vulnerability researcher, notably for his part in May in uncovering a threat posed by the 'carpet bomb' bug in Apple's Safari to users of Microsoft's Internet Explorer. Most recently, he warned of several bugs in Apple's iPhone that could be used by phishers to dupe users into visiting malicious sites or by spammers to flood the phone's in-box with junk mail.