UPDATE: Engineers at social network Twitter.com plugged a vulnerability in the company’s main Web page after attacks that exploited the hole may have hit more than 500,000 users. 

The security hole was patched at about 9:45 AM ET, according to a post by Del Harvey (@delbius), the head of Twitter’s Trust and Safety Team. In a blog post Bob Lord on the Twitter Security Team said that the company first learned of the exploit at 5:54 AM Eastern Daylight Time. The hole in question had been patched internally by the company last month, but was inadvertently reintroduced with a Web site update, Lord wrote. 

Security researchers at Kaspersky Lab started noticing a cross site scripting attack affecting the Twitter.com site about two hours earlier, just after 7:30 AM Eastern Time, USA. In the intervening two hours, the attacks spread like wildfire across the social network, with up to 100 users per second falling victim at its height, according to data from TwitScoop.com.  Based on that figure, and given the length of the attack, it may have hit as many as half a million Twitter users, according to an estimate by George Wicherski, an analyst at Kaspersky Lab that was among the first to identify the attack.

Victims included high profile Twitter users including White House Press Secretary Robert Gibbs, who was perplexed by the balky javascript tweeted to more than 97,000 followers.

“My Twitter went haywire – absolutely no clue why it sent that message or even what it is…paging the tech guys…” Gibbs posted from the @PressSec Twitter account just after 8:30 AM Eastern Time. 

The attacks leveraged a common javascript feature, onmouseover, which allows Web developers to program discrete actions when visitors move their mouse cursor over a designated area of a Web page. The attacks were mostly harmless, “proof of concept” attacks that simply reposted the javascript from the user’s session as a Tweet, said Costin Raiu at Chief Security Expert at Kaspersky Lab.

 

Exploits of the hole were, for the most point, harmless and appear to have been ad hoc rather than planned, as users learned of the cross site scripting hole, and developed novel ways of exploiting it.

“First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet,” Lord wrote on the Twitter blog. “Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge.” 

Kaspersky researchers identified at least two worms that also launched on Tuesday morning, leveraging the same hole. Worm code was circulating on IRC within minutes of the discovery of the cross site scripting hole, Kaspersky Lab researcher Wicherski said in a blog post on the bug.

The worms allowed attackers to infect a user’s account and those of his or her followers, as well. However, neither worm carried malicious payloads and neither appears to have spread as rapidly, Wicherski said.

Attack traffic began to taper off around by 10:00 AM Eastern time, with compromises at that time down to around 40 per minute as Twitter’s patch took hold. However, lingering compromises continued even after the patch from users accessing older, cached and unpatched versions of the page, Raiu said.

Cross site scripting attacks are among the most common types of Web vulnerabilities and the easiest to exploit. However, they’ve been more common on complex social networking Web sites like Facebook than on Twitter, which had instituted a Web of different checks and filters to prevent cross site scripting attacks, said Raiu. 

Researchers were unclear how the latest hole slipped through that Web, but Raiu noted a recent overhaul of the Twitter.com site, unveiled on September 14, that may have inadvertently introduced the cross site scripting vulnerability. 

Twitter worm – XSS attack – number of infected hosts over 500,000. Does make it one of the fastest in 
history. Has happened in the past. Facebook hit with this type of attack. Difference here: twitter 
checked more often. 
XSS vulnerability – simple and obvious – takes advantage of standard javascript feature onmouseover. 
not have to click anything. have to move mouse on top of code. gets reprinted. runs it simply – posts 
an RT whenever move mouse on top of javascript code. 
twitter.com: did have all kinds of checks for jscript tags. so don’t know what happened. not sure if 
related. deployed new version of web site. rewrote everything from scratch. ccould be one of the 
exlanation. 
exploit the fact that if append the jscript code. that gets execute. two or three major different 
versions – was a worm written by one guy – not his handle – apparently another one – multiple 
instances. exploit being spread on twitter. just fixed the exploit – but i still see people infected. 
or still infected. still ppl who see old version of browser. proxy. twitter using akamai or 
distributed servers. patch not propagated. still seeing attack. going on in low numbers. 40 a minute  
from 100 a second. worm using a jquery selector – different from retweets. worm 
Twitter getting hammered. 
XSS attacks – quite popular on facebook. do looker. 
Javascript – in this case. ppl using a client – twhirl or twitterific. client not render jscript. 
think a good practice to use a client instead of web site. take care of web based attacks. 
Twhirl – update itself. Twhirl updates itself. 

The hole raises issues for Web based users of Twitter. Third party client applications to manage Twitter feeds, such as Twhirl and TweetDeck were not susceptible to the cross site scripting attack, Raiu noted. Twitter users concerned about future attacks might consider shifting to one of those applications, he said.

Categories: Malware, Vulnerabilities, Web Security

Comments (3)

  1. Davidkris
    1

    This is a great example of something we’re trying to stop. We are working on a product that keeps rogue code from running on your machine. It’s a Firefox plug in that runs all your browsing through a proxy, hides your IP, filters malware and transcode files into safe file formats. It’s only in beta now, but still pretty cool – and free if you’d like to check it out. http://www.getCocoon.com Thanks, David

  2. jkim
    2

    It’s interesting that just yesterday there was another vulnerability bringing down Facebook for 2+ hours.  I think more vulnerabilities to be exploited by hackers as Facebook and Twitter user base continues to grow.  It will be interesting to see how federation comes into play as users start to see the need for multiple islands of social networks to be connected.

    Read more:

    http://futureofsocialnetwork.blogspot.com/2010/09/twitter-hacked-facebook-down-whats-next.html

  3. ddjr
    3

    Although Twitter has secured their main page, they have not changed their mobile sites “m.twitter.com” or “mobile.twitter.com” as of today, 06 Dec 2010 @ 9:30.

    Users using SSL connection m.twitter.com are required to ignore the the invalid certificate warning by their browser:

    “m.twitter.com uses an invalid security certificate.

    The certificate is only valid for the following names:
    http://www.twitter.com , twitter.com

    (Error code: ssl_error_bad_cert_domain)”

    Which can condition users to ignore security warnings, making a successful MITM attack possible.

    The site, “mobile.twitter.com” is completely unsecured by SSL. The URL, “http://m.twitter.com/” redirects to this site as well.

    These mobile sites are accessible from any browser, not just mobiles. They do not use Javascript so they are faster and easier on older browsers and systems and are more efficiently utilized by screenreaders used by the blind. Some people prefer using the simpler mobile site as well.

    Twitter has seen fit to ignore these problems, and has been absolutely silent about them, probably hoping that if they pretend these problems do not exist, they will not be noticed and exploited.

Comments are closed.