A security researcher has identified a flaw in SSL, which could be used to steal users' Twitter credentials.
SSL (secure socket layer) is widely used across e-commerce sites to protect credit card details and other personal information. The security news groups have been buzzing with activity over the flaw in SSL, which could allow a "man-in-the-middle" attacker to add data onto a secure HTTPS transaction.
In a man-in-the-middle attack, the attacker makes independent connections with victims and relays messages between them. They believe they are talking to each other over a private connection, but the conversation is controlled by the attacker.
However, according to Anil Kurmus writing on the Full Disclosure mailing list, this flaw is unlikely to be exploited for HTTPS, as it only allows the attacker to inject data.
But Anil Kurmus has discovered a way that a modified attack could be used to steal twitter credentials over an SSL link.
He demonstrated how an attacker could launch a man in the middle attack to steal the credentials of a user authenticating himself through HTTPS to a trusted website such as Twitter.