(WEB HOST INDUSTRY REVIEW) — An SSL flaw used to establish communications via the Internet could potentially have been exploited to break into individuals’ Twitter (www.twitter.com) accounts, says an IBM security expert, according to a report by PC World.
In a demonstration conducted last week, Anil Kurmus showed how an SSL bug could be used to dupe Twitter users into sending “tweets” that include their account password.
In order to pull off the scam, hackers would need to launch a man-in-the-middle attack from inside the victim’s network, making it difficult to impact a large number of Twitter members using this kind of tactic.
Twitter was able to patch the bug before anyone successfully pulled off the hack. However, security experts are concerned as to how many other websites might have a similar flaw.
A group of Internet companies has clamored to resolve the SSL bug since November 5, when the flaw went made public.
Security experts say that the bug may potentially affect Webmail applications, as well as other applications like databases.
Experts say that the Twitter website was vulnerable to the flaw because it uses client renegotiation under SSL, which lets the website request an SSL certificate from the Twitter user after he or she is already connected to the site.
And though the tool is beneficial in that it lets users log on using smart cards or allows sites to restrict access to a predetermined group of visitors, it also makes websites susceptible to SSL attacks.
Fortunately, many sites, such as Twitter, can disable client renegotiation.
