Feeds

Twitter overrun by weekend of powerful worm attacks

No user action required

Top 5 reasons to deploy VMware with Tegile

Twitter was hit over the weekend by powerful, self-replicating attacks that caused people to flood the micro-blogging site with tens of thousands of messages simply by viewing booby trapped user profiles.

The worm attacks began early Saturday morning and were the result of XSS, or cross-site scripting, bugs in the Twitter service. They caused those who viewed the profiles of infected users to post tweets promoting a site called StalkDaily.com. Victim profiles were then altered to include malicious javascript that infected new marks. Over the next 36 hours, at least three similar worms made the rounds, causing Twitter administrators to delete more than 10,000 tweets.

Twitter's inability to quickly contain the mess prompted some security watchers to criticize Twitter for not being more on top of it. According to this postmortem from the Dcortesi blog, the attacks exploited gaping holes that allowed users to insert tags in the URLs of Twitter users' profile pages that called malicious javascript from third-party web servers.

As is frequently the case with XSS-based attacks, the worm was unable to prey on those using the NoScript add-on for the Firefox browser.

Twitter's security team was able to block the attack for a while, but a new assault that made use of "mildly obfuscated" code soon defeated the countermeasure, raising the possibility that it was based on the detection of attack signatures rather than fixing the underlying bug that allowed the XSS vulnerability in the first place.

"The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error?" Italian researcher and NoScript creator Giorgio Maone wrote here. "This would be ridiculous, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that)."

It's not the first time Twitter has been slow to react to vulnerabilities on its site that allow self-replicating attacks against its users. The San Francisco-based company took more than 24 hours to close a separate hole discovered by white-hat hackers last month, while many of the company's employees attended the South by South West conference in Austin, Texas.

"We are still reviewing all the details, cleaning up, and we remain on alert," Twitter co-founder Biz Stone wrote Sunday. "Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future."

Stone declined to answer questions including exactly what changes it planned and how many accounts were infected. He also wouldn't say whether Twitter officials had alerted the FBI or other law-enforcement authorities.

The weekend attacks are reminiscent of other XSS-born worms that have menaced the web. The most notorious of those was the Samy worm of 2005, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. The author was later convicted.

An individual has claimed responsibility for the Twitter attacks, saying here he created the worm "out of boredom". His identity and claims could not be immediately confirmed.

If you think worms on social networking sites are harmless you should think again. Twitter in particular has become a platform for countless companies, organizations and celebrities to share updates with followers who blindly click on any link provided. The attacks so far have been innocuous only because the attackers have lacked sufficient malice.

XSS attacks are serious because they allow miscreants to inject their code of choice into websites that are trusted by millions of users. In turn, attackers can perform drive-by malware installations or steal authentication cookies and other log-in credentials.

And that's just the beginning. As the Dcortesi blog states:

"Had they been playing for real, a more profitable approach would have been to leave your profile URL intact and insert some Javascript that turned your browser into an endpoint on a bot network."

Until Twitter can give better assurances about its procedures for keeping its considerable user base safe from attack, you may want to think twice about clicking on links and user profiles, even when they appear to come from people you know and trust. The site is in the middle of an arms race, and so far it's not at all clear who has the upper hand. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.