Feeds

Twitter overrun by weekend of powerful worm attacks

No user action required

Choosing a cloud hosting partner with confidence

Twitter was hit over the weekend by powerful, self-replicating attacks that caused people to flood the micro-blogging site with tens of thousands of messages simply by viewing booby trapped user profiles.

The worm attacks began early Saturday morning and were the result of XSS, or cross-site scripting, bugs in the Twitter service. They caused those who viewed the profiles of infected users to post tweets promoting a site called StalkDaily.com. Victim profiles were then altered to include malicious javascript that infected new marks. Over the next 36 hours, at least three similar worms made the rounds, causing Twitter administrators to delete more than 10,000 tweets.

Twitter's inability to quickly contain the mess prompted some security watchers to criticize Twitter for not being more on top of it. According to this postmortem from the Dcortesi blog, the attacks exploited gaping holes that allowed users to insert tags in the URLs of Twitter users' profile pages that called malicious javascript from third-party web servers.

As is frequently the case with XSS-based attacks, the worm was unable to prey on those using the NoScript add-on for the Firefox browser.

Twitter's security team was able to block the attack for a while, but a new assault that made use of "mildly obfuscated" code soon defeated the countermeasure, raising the possibility that it was based on the detection of attack signatures rather than fixing the underlying bug that allowed the XSS vulnerability in the first place.

"The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error?" Italian researcher and NoScript creator Giorgio Maone wrote here. "This would be ridiculous, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that)."

It's not the first time Twitter has been slow to react to vulnerabilities on its site that allow self-replicating attacks against its users. The San Francisco-based company took more than 24 hours to close a separate hole discovered by white-hat hackers last month, while many of the company's employees attended the South by South West conference in Austin, Texas.

"We are still reviewing all the details, cleaning up, and we remain on alert," Twitter co-founder Biz Stone wrote Sunday. "Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future."

Stone declined to answer questions including exactly what changes it planned and how many accounts were infected. He also wouldn't say whether Twitter officials had alerted the FBI or other law-enforcement authorities.

The weekend attacks are reminiscent of other XSS-born worms that have menaced the web. The most notorious of those was the Samy worm of 2005, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. The author was later convicted.

An individual has claimed responsibility for the Twitter attacks, saying here he created the worm "out of boredom". His identity and claims could not be immediately confirmed.

If you think worms on social networking sites are harmless you should think again. Twitter in particular has become a platform for countless companies, organizations and celebrities to share updates with followers who blindly click on any link provided. The attacks so far have been innocuous only because the attackers have lacked sufficient malice.

XSS attacks are serious because they allow miscreants to inject their code of choice into websites that are trusted by millions of users. In turn, attackers can perform drive-by malware installations or steal authentication cookies and other log-in credentials.

And that's just the beginning. As the Dcortesi blog states:

"Had they been playing for real, a more profitable approach would have been to leave your profile URL intact and insert some Javascript that turned your browser into an endpoint on a bot network."

Until Twitter can give better assurances about its procedures for keeping its considerable user base safe from attack, you may want to think twice about clicking on links and user profiles, even when they appear to come from people you know and trust. The site is in the middle of an arms race, and so far it's not at all clear who has the upper hand. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED
Classified systems 'not affected' - but, is this reconnaissance?
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.