A simple way to phish for Twitter passwords?

Graham Cluley
@gcluley

SophosLabs received an interesting email today from a user who believed that high-tech news website Wired.com had been hacked.

As Ted Russ posts on his blog, he had a strange dialog box pop up when he visited a page on the Wired website, asking him to confirm his Twitter username and password.

We haven’t been able to reproduce Ted’s experience so far in our testing, but from the screenshot he produces on his blog we think we know what is going on here.

Earlier this week, details were published on the net of how you could write some simple JavaScript to potentially greet visitors to your site with their Twitter username.

Essentially a call can be made to the Twitter API (quite legitimately) in order to retrieve the “user timeline” data. This can then be parsed to retrieve the Twitter username – something you might want to do if you wished to display…

Read more in my article on the Naked Security website.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.