* Twitter disables 'widget' function
* Researcher had told Twitter passwords could be hacked
* Security flaw related to Adobe Flash
* Twitter co-founder says investigating problem
(Adds comment from Twitter CEO)
BOSTON, Jan 22 (Reuters) - Twitter has temporarily disabled
one of the features on its website after a security researcher
warned of a programming flaw that left the login credentials of
its users vulnerable to hackers.
Twitter co-founder Biz Stone said in an email that the
company had temporarily cut off access to a feature that lets
users display Twitter updates on their websites by using Flash
"Our team has disabled the Flash widget while we look into
the problem," Stone said.
Mike Bailey, a senior security analyst with Foreground
Security of Orlando, Florida, said that the problem exploits a
widely known vulnerability in Adobe Systems Inc's
Flash programming language.
Adobe has told programmers how to address the
vulnerability, which was first discovered in 2006, Bailey
added, but noted the operators of many websites have failed to
respond to those warnings.
The microblogging site's huge popularity has made it a
prime target for hackers looking to spread malicious software
to Twitter's millions of users.
"As simple as the attack is, I've been finding them all
over the place," Bailey said.
Officials with Adobe declined to comment.
A hacker last month briefly hijacked the Twitter site and
redirected it to one that claimed to represent a group calling
itself the Iranian Cyber Army. That high-profile attack -- by a
perpetrator who stole credentials to the account that Twitter
uses to route its traffic -- did not compromise credentials of
any Twitter users.
Bailey said his analysis of the Twitter site showed that it
could have been vulnerable to attacks for more than a year, but
that it was impossible to know whether hackers had actually
exploited the Adobe flaw.
He is scheduled to discuss his research on the Twitter flaw
at the Black Hat DC security research conference in Washington,
which begins on Feb. 2.
(Reporting by Jim Finkle; Editing by Derek Caney and Matthew