
Twitter has a vulnerability that leaves any video sent in a direct message viewable to anyone on the internet 鈥 if they can somehow guess the correct unique web address. The flaw might leave sensitive, personal videos open to theft and could potentially put political activists in some countries at risk. The company has been informed, but claims the issue isn鈥檛 a problem.
When you send a video in a Twitter direct message, the company hosts the file on a server and assigns it a unique web address, which is used to access the video. The address includes a hash: a one-way mathematical algorithm that returns a small but unique code for a given file. This makes it almost impossible to guess the web address of a video, but it now seems that anyone who does manage to get the address can view it, regardless of whether they were the intended recipient or even whether they are logged in to Twitter.
at Old Dominion University in Norfolk, Virginia, who discovered the flaw, says he reported his finding to Twitter via the website, which connects security researchers with companies and arranges bounties to be paid for information about vulnerabilities. The practice helps firms improve security.
Advertisement
Normally, someone submitting a vulnerability keeps the details secret while the company fixes it, which can take months, but Nelson got a reply about an hour later. However, instead of thanking him and giving a timeline for a fix, Twitter said it wasn鈥檛 a problem, and even told Nelson that he wasn鈥檛 the first person to point it out.听
鈥淏asically, they said, 鈥業t鈥檚 no big deal鈥,鈥 says Nelson. 鈥淏ut you know, I kind of think it鈥檚 a big deal. You don鈥檛 need to go and delete your videos today, or tomorrow, but just be aware that while your images enjoy a really impressive array of authentication protection, your videos do not.鈥
Although the hash of a video would be virtually impossible to guess, there are ways the flaw could be used, says Nelson. An attacker could create a hash of a known video, then hunt for people who are sharing it, which could allow regimes to clamp down on certain groups of people. Attackers could also use vulnerabilities in other software such as browsers to track the web addresses that a person visits, then be able to view any Twitter videos they had accessed.
鈥淭hat seems unlikely, but if you鈥檙e Russia or China perhaps, you have the resources to mount that kind of large-scale scam,鈥 says Nelson. 鈥淚t will eventually be a problem for someone.鈥
One Twitter employee, who asked to remain anonymous, told New 杏吧原创 that the company鈥檚 ability to fix vulnerabilities was limited following massive layoffs in the wake of the takeover by Elon Musk. 鈥淲hatever you鈥檝e heard, it鈥檚 worse,鈥 they say. 鈥淓ngineering staff are quite limited and probably not much more able than keeping lights on and doing whatever comes on Elon鈥檚 next whim. Unless this exploit gains public traction, I wouldn鈥檛 expect anyone to prioritise it.鈥
Twitter didn鈥檛 respond to a request for comment from New 杏吧原创, but in its answer to Nelson, the company said it didn鈥檛 consider the issue to be a vulnerability because it requires that a user makes the URL known publicly. 鈥淚f in the future you are able to actively brute force sensitive information that has not been once public鈥μ please let us know in a new report,鈥 the company said.
at the University of Surrey, UK, says the Twitter vulnerability is real, but certainly not easy to exploit.
鈥淭he hash is not something you easily enumerate unless you have the original video file and know the hashing algorithm,鈥 he says. 鈥淗ence, it might be used to search for who is sharing a certain video, but not necessarily to easily scan through the possible feeds until you find one. It鈥檚 not ideal, but it might be exploited in ways you hadn鈥檛 quite imagined.鈥
Reference: arXiv,