This article was published on July 13, 2010

Small Twitter Security Hole Could Leave Your Profile Open To 3rd Party Changes

Small Twitter Security Hole Could Leave Your Profile Open To 3rd Party Changes

Twitter, everyone’s favorite micro-sharing website, seems to have a small open security hole in its design. There is a simple, if very noticeable way, for a third party application that you have green-light for your Twitter account to change your profile information.

In Twitter there is a generally unknown set of commands that allow users to change their profile data. Depending on your local language, these commands run in the form of “set object newword.” There are three commands that we know of: url, location, and name. You can type “set name newname” in a tweet, and upon sending it, it should change your user name to ‘newname.’ The tweet will not be sent to your followers if you used the correct syntax, it will be accepted into Twitter as a command and absorbed.

Inset either ‘url’ or ‘location’ for ‘name,’ and you can change your custom link or location quickly. That is all well and good, if you are calling the shots. However, it is very likely that any application that you have allowed to sync with your Twitter account can send tweets from your profile. They could, theoretically, tweet something from your account in the form of one of the aforementioned commands, and change your username, location, and url for you, sans your permission.

This  is a simple thing to fix: Twitter can pull the commands, or just make them moot over their API. Either way, Twitter should solve this problem before someone abuses it.

Want to be safe? Make sure that you trust all the applications that you have connected to your Twitter account.