A simple way to phish for Twitter passwords?

SophosLabs received an interesting email today from a user who believed that high-tech news website Wired.com had been hacked.

As Ted Russ posts on his blog, he had a strange dialog box pop up when he visited a page on the Wired website, asking him to confirm his Twitter username and password.

Twitter username/password pop-up on Wired.com

We haven’t been able to reproduce Ted’s experience so far in our testing, but from the screenshot he produces on his blog we think we know what is going on here.

Earlier this week, details were published on the net of how you could write some simple JavaScript to potentially greet visitors to your site with their Twitter username.

Essentially a call can be made to the Twitter API (quite legitimately) in order to retrieve the “user timeline” data. This can then be parsed to retrieve the Twitter username – something you might want to do if you wished to display a friendly greeting to your web visitors.

What interests us, of course, is that it’s possible to also envisage a scenario where you can use this technique to construct a quite believable phishing message. Certainly more believable than the “click on a link” approach used by the widespread phishing scam seen on Twitter in the last week.

However, the published information about how to acquire the Twitter username had one caveat – the user was prompted for Twitter authentication if they were not already authenticated. And this seems to tally with what Ted saw when he visited the Wired website. Subsequently, though, others have provided additional parameters to the API query which are said to suppress the authentication prompt.

We can’t say for certain if this is what was happening when Ted visited Wired.com, as we haven’t been able to reproduce the behaviour. And if it was the case it’s possible that it was a completely innocent (but misguided) attempt to greet a Twitter user in a friendly way, rather than something malicious. Equally, it’s possible that the code was served up via an advert on Wired.com’s site rather than directly by Wired itself.

For now we have to put this report of Wired.com being hacked in the “unconfirmed” box.

One thing is certain. The headlines about Twitter phishing and high profile celebrities having their accounts hacked, has raised the profile of the micro-blogging website – both amongst the public and, most likely, hackers too.

Credit where credit’s due: Thanks to Fraser Howard of SophosLabs for his help in investigating this issue.