Twitter faces another attack – XSS vulnerability discovered

by Steve Ragan - Mar 23 2009, 16:00

Late last week, word of a new attack vector on Twitter started to spread in the media and on the popular micro-blogging service itself. The attack, Cross Site Scripting in nature, will post a message to the victim's Twitter account if exploited. This led to sensational speculation over the weekend as to what the actual impact of the flaw could mean when looking towards the future of Web-based services and features.

The Proof-of-Concept (PoC) of the Twitter attack, as presented by Secure Science, actually offers an option allowing the exploit to be avoided. However, that didn’t stop several hundred people from becoming willing participants in the demonstration of the attack.

As of Sunday, there are seven pages of confirmed successful attacks listed on Twitter. The compromise, if users allow the PoC to work, posts the message: “I just got owned!” to the affected Twitter account and directs it to @XSSExploits.

The resulting speculation comes from a 'what-if' type comment made by Secure Science’s Lance James in an instant message interview with The Register:

“With a technology such as Twitter, I could use it to infect massive amounts of Twitter readers/users, say with malware or steal their accounts, etc.,” said James. “Because it's a serious hack, I was being nice and put a disclaimer up, but it could (have) been as bad as the Samy is my hero stuff [and] more.”

The Samy Worm was used on MySpace in 2005, resulting in MySpace being knocked offline. If you need more information on Samy, the author of the code used on MySpace explains things here and here.

Long story short -- Samy was an AJAX-based XSS attack that added “but most of all, Samy is my hero” to the profile page of any MySpace user who viewed a hijacked profile. The nature of the code and XSS itself meant that all one needed to do was view a hijacked profile to trigger the code. Within a day, Samy, as it was called, spread to over a million users.

The relation that the newest Twitter vulnerability has to Samy is only theoretical at the moment, as only those who have used the PoC have been victimized. The odds are Twitter will have this fixed sooner rather than later, especially given the subsequent media attention.

The XSS itself starts from apiwiki.twitter.com. Secure Science added JavaScript to a form used to request a link to a custom application that uses the Twitter API. The XSS code was inserted into the “Application Name” portion of the form.

“Combining Twitter and it's viral market affect, an attacker could do much more than our simple proof of concept. They could use this to infect massive amounts of twitter users within hours using remote exploit code, as well as steal their twitter account information, all without the victims knowledge,” the message from the PoC explained.

“If you proceed, a tweet will be posted automatically AS YOURSELF,” it added. “The contents of this tweet is innocuous but demonstrates the viral capabilities. By clicking OK you will demonstrate this flaw. Clicking cancel will leave this demonstration without any effects.”

James also told PC World that he hopes Twitter will make security a priority thanks to the vulnerability his company reported, saying: “We don't want to cause any damage to Twitter,” and adding that he is hoping no one does something “stupid at this moment.”

This is not the first attack vector demonstrated on Twitter. Two weeks ago, 750 Twitter accounts were confirmed compromised and used to propagate malicious links that led to online porn and thanks to embedded JavaScript, porn-related advertisements being installed on the system.

Last month, it was discovered that Twitter was vulnerable to Clickjacking, leading to automatic posts to user accounts. The Clickjacking vulnerability was fixed, twice, but that doesn’t mean all of the bugs are out of the system.

The Tech Herald: Twitter hit by account hijacking attack - 750 accounts confirmed compromised (Update)

The Tech Herald: Twitter’s Clickjacking fix broken – then quickly fixed again

The Tech Herald: Twitter account hijackings raise concerns over account protection

Around the Web