Small Twitter Security Hole Could Leave Your Profile Open To 3rd Party Changes

Small Twitter Security Hole Could Leave Your Profile Open To 3rd Party Changes

Twitter, everyone’s favorite micro-sharing website, seems to have a small open security hole in its design. There is a simple, if very noticeable way, for a third party application that you have green-light for your Twitter account to change your profile information.

In Twitter there is a generally unknown set of commands that allow users to change their profile data. Depending on your local language, these commands run in the form of “set object newword.” There are three commands that we know of: url, location, and name. You can type “set name newname” in a tweet, and upon sending it, it should change your user name to ‘newname.’ The tweet will not be sent to your followers if you used the correct syntax, it will be accepted into Twitter as a command and absorbed.

Inset either ‘url’ or ‘location’ for ‘name,’ and you can change your custom link or location quickly. That is all well and good, if you are calling the shots. However, it is very likely that any application that you have allowed to sync with your Twitter account can send tweets from your profile. They could, theoretically, tweet something from your account in the form of one of the aforementioned commands, and change your username, location, and url for you, sans your permission.

This  is a simple thing to fix: Twitter can pull the commands, or just make them moot over their API. Either way, Twitter should solve this problem before someone abuses it.

Want to be safe? Make sure that you trust all the applications that you have connected to your Twitter account.

Read next: SkyGrid! SkyGrid! Read All About It (Using SkyGrid)!

Corona coverage

Read our daily coverage on how the tech industry is responding to the coronavirus and subscribe to our weekly newsletter Coronavirus in Context.

For tips and tricks on working remotely, check out our Growth Quarters articles here or follow us on Twitter.