Zohar Alon, the CEO of security solutions provider Dome9, discovered that the “secondary” Twitter sign in page transmitted user passwords via HTTP, instead of the secure HTTPS.
Fortunately, Twitter rushed to address the issue immediately after being notified, but until a few hours ago, many cybercriminals could have exploited the flaw.
According to TNW, the bug didn’t affect the main sing in page – the one that users are presented with when they access Twitter. Instead, it affected the drop-down sign in form which customers can access when viewing a profile or a tweet without being logged in to their accounts.
The main login page transmitted the information in a secure manner, but this alternative page used HTTP, which meant that all passwords could be easily intercepted by someone who was sniffing a potential victim’s network traffic.
After being notified by TNW and Alon about the security hole, Twitter’s security team patched up the issue. However, this fairly serious vulnerability could have been there for some time, impacting the social media site’s 200 million customers.
While this secondary sign in page is not used as often as the main page, it’s still utilized by a large number of internauts.
Add me on Google+Via: Secondary Twitter Sign In Form Found to Transmit Passwords in Plain Text
Tidak ada komentar:
Posting Komentar