While Twitter has just fixed it, the secondary Twitter sign-in page used to transmit user passwords via HTTP, instead of the secure HTTPS.
To Twitter’s credit, once they learned about the vulnerability — discovered by Zohar Alon, chief executive at security solutions provider Dome9 — they addressed the issue immediately.
The bug didn’t affect the main sign-in page – the one that users get when they access Twitter. Instead, it affected the drop-down sign-in form which users can access when viewing a profile or a tweet without logging in to their accounts.
The main login page transmitted the information in a secure manner, but this alternative page used HTTP, which meant all passwords could easily end up intercepted by someone who was sniffing a potential victim’s network traffic.
After learning of the security hole, Twitter’s security team patched up the issue. However, this serious vulnerability was there for some time, impacting the social media site’s 200 million customers.
While this secondary sign-in page is not in play as often as the main page, a large number of users still utilize it.