Today, the pseudonymous white-hat security researcher Samczsun warned the crypto community about a bug discovered in the X platform (formerly Twitter). According to the analyst, this bug "allows hackers to gain full access to your account by simply clicking a link."

Read also: SlowMist’s Top DeFi Research: "The Basic Security Risks Are Severe"

Samczun explains that the identified bug empowers malicious actors to execute a variety of actions on the social media platform, including posting content, sharing publications authored by other users, and blocking accounts. Notably, the ability to change the password for a compromised account remains unavailable.

Samczun emphasizes that "Typically clicking a link is safe as long as you do not click anything on the page (like a &'link MetaMask&' button). In this case, simply loading the page is game over," adding that the exploits of this vulnerability are "the Twitter equivalent of a Discord session stealer."

As a preventive measure, Samczun recommends the use of uBlock Origin, an ad-blocking browser extension. However, some X users dispute the effectiveness of this tool.

For users accessing Twitter on mobile browsers, where installing extensions is not possible, Samczun advises logging out and using the app.

Despite Samczun&'s prompt announcement of the bug&'s resolution approximately two hours after the initial warning, it is highly advisable to exercise extra caution. The potential victims extend beyond regular X users and may include legitimate Web3 projects, whose compromised X accounts could be exploited in subsequent phishing scams.

Read also: Web3 Exploit Losses Decrease Following November&'s Surge in Attacks

Vulnerability explanation

The technical summary of the bug states that "Reflected XSS in a Twitter subdomain and CORS/CSP bypass allows for arbitrary requests to the Twitter API as a locally authenticated user." The term "reflected XSS" denotes a security vulnerability that enables attackers to inject a malicious script into a web application, specifically the X platform. The "reflected" aspect indicates that the injected script is bounced off a web server and subsequently executed in the user&'s browser.

CORS (Cross-Origin Resource Sharing) and CSP (Content Security Policy) serve as security mechanisms, governing web browsers&' control over requests for resources from different domains. These mechanisms also enforce security policies on scripts. By circumventing these safeguards, malicious actors can initiate requests to the X API from a source (domain) distinct from the origin of the web page.