Gareth Heyes demonstrated on his blog that by exploiting a weakness in JSON, it is possible to extract the twits of the visitor’s friends.
Twitter have fixed this issue, by making authentication on the friends timeline mandatory, as is already on other pages with sensitive information.
Giorgio Maone, the creator of NoScript, shows that the JSON weakness can still be demonstrated on the public timeline page. Fortunately, this page is intended for public information.
Well, it seems like it didn’t take that long for the malware authors to notice the opportunity in abusing Twitter as a malware distribution platform.
According to Kaspersky Labs:
“…This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.
If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular…”
Unfortunately, the auto-follow-me vulnerability is still exploitable for Internet Explorer users. I’m still withholding the technical details of this vulnerability in a hope that it won’t be exploited in the wild, more than it was probably already did.