Adam Popescu had a gut feeling that something was amiss when the following DM hit his Twitter inbox:
OMG they said he died…Did he? [SHORT LINK]
Unfortunately he went against his gut feeling, clicked the link and found himself staring at a spoofed news page with an acai berry diet sales pitch. He promptly realized his mistake and closed the browser window, but it was already too late. A diet tweet was posted to his account shortly thereafter.
It was a mind-boggling situation. Unlike other Twitter scams, Popescu was never prompted to enter his login information and he didn’t grant any rogue apps access to his profile. So what happened??
As a commenter by the name of Sivvy pointed out, he was likely the victim of a XSS (cross-site scripting) attack:
Chances are Adam's cookie (from Twitter) was passed through the URL to that attack site, which then checked what URL referred him to that site. Using the cookie, an attacker can assume his identity, so long as Adam doesn't close his session before the attacker uses it.
In order to avoid losing their account entirely after falling for such an attack, a user would need to:
- Change their account password immediately.
- Check their account for any rogue apps that the attacker may have installed on their profile.
Aside from that, it is always a good idea to log out of Twitter when you’re done, and stay logged out for at least 20 minutes to ensure that your session is closed on the server (cookies become invalid once they’re closed and cannot be used again).
If you got the DM, but didn’t click on any links, then it would be a good idea to avoid clicking the link, report the message to Twitter and delete it immediately.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.