
Twitter has a vulnerability that leaves any video sent in a direct message viewable to anyone on the internet – if they can somehow guess the correct unique web address. The flaw might leave sensitive, personal videos open to theft and could potentially put political activists in some countries at risk. The company has been informed, but claims the issue isn’t a problem.
When you send a video in a Twitter direct message, the company hosts the file on a server and assigns it a unique web address, which is used to access the video. The address includes a hash: a one-way mathematical algorithm that returns a small but unique code for a given file. This makes it almost impossible to guess the web address of a video, but it now seems that anyone who does manage to get the address can view it, regardless of whether they were the intended recipient or even whether they are logged in to Twitter.
at Old Dominion University in Norfolk, Virginia, who discovered the flaw, says he reported his finding to Twitter via the website, which connects security researchers with companies and arranges bounties to be paid for information about vulnerabilities. The practice helps firms improve security.
Advertisement
Normally, someone submitting a vulnerability keeps the details secret while the company fixes it, which can take months, but Nelson got a reply about an hour later. However, instead of thanking him and giving a timeline for a fix, Twitter said it wasn’t a problem, and even told Nelson that he wasn’t the first person to point it out.
“Basically, they said, ‘It’s no big deal’,” says Nelson. “But you know, I kind of think it’s a big deal. You don’t need to go and delete your videos today, or tomorrow, but just be aware that while your images enjoy a really impressive array of authentication protection, your videos do not.”
Although the hash of a video would be virtually impossible to guess, there are ways the flaw could be used, says Nelson. An attacker could create a hash of a known video, then hunt for people who are sharing it, which could allow regimes to clamp down on certain groups of people. Attackers could also use vulnerabilities in other software such as browsers to track the web addresses that a person visits, then be able to view any Twitter videos they had accessed.
“That seems unlikely, but if you’re Russia or China perhaps, you have the resources to mount that kind of large-scale scam,” says Nelson. “It will eventually be a problem for someone.”
One Twitter employee, who asked to remain anonymous, told èƵ that the company’s ability to fix vulnerabilities was limited following massive layoffs in the wake of the takeover by Elon Musk. “Whatever you’ve heard, it’s worse,” they say. “Engineering staff are quite limited and probably not much more able than keeping lights on and doing whatever comes on Elon’s next whim. Unless this exploit gains public traction, I wouldn’t expect anyone to prioritise it.”
Twitter didn’t respond to a request for comment from èƵ, but in its answer to Nelson, the company said it didn’t consider the issue to be a vulnerability because it requires that a user makes the URL known publicly. “If in the future you are able to actively brute force sensitive information that has not been once public… please let us know in a new report,” the company said.
at the University of Surrey, UK, says the Twitter vulnerability is real, but certainly not easy to exploit.
“The hash is not something you easily enumerate unless you have the original video file and know the hashing algorithm,” he says. “Hence, it might be used to search for who is sharing a certain video, but not necessarily to easily scan through the possible feeds until you find one. It’s not ideal, but it might be exploited in ways you hadn’t quite imagined.”
Reference: arXiv,