UPDATE— Within an hour of reports surfacing about a cross-site scripting bug on the Twitter home page, a worm exploiting the bug was released on the site. However, engineers at Twitter have repaired the bug and say that it no longer should be exploitable.
The bug appeared Tuesday morning and experts quickly noticed users taking advantage of the flaw. Details of the bug are slim right now, though experts say that mousing over a specific link will produce a pop-up window that displays the logged-in user’s Twitter cookie. The attack later incorporated a cross-site request forgery component that forced users to retweet a piece of code.
“Apparently, there is an actively exploited XSS vulnerability on
Twitter. From my first preliminary analysis, you’ll have to hover over a
link to activate it and so far I have just seen some proof of concepts
from people I follow. However, this vulnerability looks at least
semi-wormable, so better turn JavaScript off on Twitter for now,” Kaspersky Lab researcher Georg Wicherski said in a blog post on the bug.
Soon after the proof-of-concept appeared on Twitter, someone released a worm on the site, which would automatically retweet a piece of JavaScript code when a user moused over a link. There were other proof-of-concepts that exploited the vulnerability without any user interaction at all. By about 10 AM EDT on Tuesday, the worm was slowing down, as Twitter’s team caught up and closed the vulnerability.
Cross-site scripting flaws have been a persistent problem on Web sites for several years now, and attackers often use them as one piece of a larger attack. Persistent XSS flaws can enable attackers to force vulnerable sites to store their attack code and display it to other users as they hit the site.
Experts were recommending that users avoid the main Twitter Web interface and instead access the service through third-party applications, which still may be a good precaution to take for the time being.