Feeds

Twitter overrun by weekend of powerful worm attacks

No user action required

Security for virtualized datacentres

Twitter was hit over the weekend by powerful, self-replicating attacks that caused people to flood the micro-blogging site with tens of thousands of messages simply by viewing booby trapped user profiles.

The worm attacks began early Saturday morning and were the result of XSS, or cross-site scripting, bugs in the Twitter service. They caused those who viewed the profiles of infected users to post tweets promoting a site called StalkDaily.com. Victim profiles were then altered to include malicious javascript that infected new marks. Over the next 36 hours, at least three similar worms made the rounds, causing Twitter administrators to delete more than 10,000 tweets.

Twitter's inability to quickly contain the mess prompted some security watchers to criticize Twitter for not being more on top of it. According to this postmortem from the Dcortesi blog, the attacks exploited gaping holes that allowed users to insert tags in the URLs of Twitter users' profile pages that called malicious javascript from third-party web servers.

As is frequently the case with XSS-based attacks, the worm was unable to prey on those using the NoScript add-on for the Firefox browser.

Twitter's security team was able to block the attack for a while, but a new assault that made use of "mildly obfuscated" code soon defeated the countermeasure, raising the possibility that it was based on the detection of attack signatures rather than fixing the underlying bug that allowed the XSS vulnerability in the first place.

"The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error?" Italian researcher and NoScript creator Giorgio Maone wrote here. "This would be ridiculous, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that)."

It's not the first time Twitter has been slow to react to vulnerabilities on its site that allow self-replicating attacks against its users. The San Francisco-based company took more than 24 hours to close a separate hole discovered by white-hat hackers last month, while many of the company's employees attended the South by South West conference in Austin, Texas.

"We are still reviewing all the details, cleaning up, and we remain on alert," Twitter co-founder Biz Stone wrote Sunday. "Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future."

Stone declined to answer questions including exactly what changes it planned and how many accounts were infected. He also wouldn't say whether Twitter officials had alerted the FBI or other law-enforcement authorities.

The weekend attacks are reminiscent of other XSS-born worms that have menaced the web. The most notorious of those was the Samy worm of 2005, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. The author was later convicted.

An individual has claimed responsibility for the Twitter attacks, saying here he created the worm "out of boredom". His identity and claims could not be immediately confirmed.

If you think worms on social networking sites are harmless you should think again. Twitter in particular has become a platform for countless companies, organizations and celebrities to share updates with followers who blindly click on any link provided. The attacks so far have been innocuous only because the attackers have lacked sufficient malice.

XSS attacks are serious because they allow miscreants to inject their code of choice into websites that are trusted by millions of users. In turn, attackers can perform drive-by malware installations or steal authentication cookies and other log-in credentials.

And that's just the beginning. As the Dcortesi blog states:

"Had they been playing for real, a more profitable approach would have been to leave your profile URL intact and insert some Javascript that turned your browser into an endpoint on a bot network."

Until Twitter can give better assurances about its procedures for keeping its considerable user base safe from attack, you may want to think twice about clicking on links and user profiles, even when they appear to come from people you know and trust. The site is in the middle of an arms race, and so far it's not at all clear who has the upper hand. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.