An attacker can use a flaw in Twitter’s API to take control of a Twitter user’s account, according to a vulnerability discovered in March.
Researchers at security firm Trend Micro discovered the flaw after an account was compromised by an attacker with access to an unpatched version of Twitter’s software.
The bug affects the Twitter web interface, which is used to sign in users to their account and interact with the social network.
The issue also affects users who have logged in using the same Twitter account.
An attacker could gain control of the user’s Twitter account by simply clicking a link that was sent to the user, Trend Micro said in a blog post announcing the flaw.
“Twitter is using an insecure API to allow a remote attacker to use a compromised API key to control the Twitter account,” it said.
“The attacker can gain unauthorized access to the account by using a malicious Twitter link, and by using the attacker’s own Twitter account.”
The vulnerability is also likely to have been exploited by attackers who can now get access to a Twitter account using the compromised key, Trend said.
The vulnerability was discovered by researchers at security consultancy FireEye, and was disclosed on March 11.
Twitter released a statement about the vulnerability to customers on Monday, but did not specify how many people have been affected.
The company said it had notified users of the issue, and it would take “steps to protect them.”
Twitter did not immediately respond to a request for comment on Wednesday.
Twitter said it has implemented new security measures to improve the security of its systems, including a new authentication system for all users that makes it harder for an attacker to gain unauthorized control of an account.
Twitter’s system allows users to log into accounts from their desktop or mobile devices.
But that system does not protect against a remote or network-level attack, as demonstrated by a recent hack in which an attacker could take over an account using a user’s compromised login credentials.
Twitter recently started testing a new, improved security system called “Sign in as Twitter user,” which will make it harder to hijack an account by exploiting a vulnerability in Twitter, FireEye said.
Trend Micro has also disclosed the vulnerability in the Twitter security app and Twitter’s own web interface.
In a blog posting on Tuesday, Trend noted that the vulnerability affects a subset of the Twitter API, which means that it is a low-risk exploit that would likely not impact most users.
Twitter did offer a security update for users on Tuesday.