Secondary Twitter “Sign In” Form Found to Transmit Passwords in Plain Text

The page used HTTP instead of HTTPS, before the issue was fixed by Twitter

By on December 20th, 2012 10:56 GMT

Zohar Alon, the CEO of security solutions provider Dome9, discovered that the “secondary” Twitter sign-in page transmitted user passwords via HTTP, instead of the secure HTTPS.

Fortunately, Twitter rushed to address the issue immediately after being notified, but until a few hours ago, many cybercriminals could have exploited the flaw.

According to TNW, the bug didn’t affect the main sign-in page – the one that users are presented with when they access Twitter. Instead, it affected the drop-down sign-in form which customers can access when viewing a profile or a tweet without being logged in to their accounts.

The main login page transmitted the information in a secure manner, but this alternative page used HTTP, which meant that all passwords could be easily intercepted by someone who was sniffing a potential victim’s network traffic.

After being notified by TNW and Alon about the security hole, Twitter’s security team patched up the issue. However, this fairly serious vulnerability could have been there for some time, impacting the social media site’s 200 million customers.

While this secondary sign-in page is not used as often as the main page, it’s still utilized by a large number of internauts.

Comments