This article is more than 1 year old

Twitter overrun by weekend of powerful worm attacks

No user action required

Twitter was hit over the weekend by powerful, self-replicating attacks that caused people to flood the micro-blogging site with tens of thousands of messages simply by viewing booby trapped user profiles.

The worm attacks began early Saturday morning and were the result of XSS, or cross-site scripting, bugs in the Twitter service. They caused those who viewed the profiles of infected users to post tweets promoting a site called StalkDaily.com. Victim profiles were then altered to include malicious javascript that infected new marks. Over the next 36 hours, at least three similar worms made the rounds, causing Twitter administrators to delete more than 10,000 tweets.

Twitter's inability to quickly contain the mess prompted some security watchers to criticize Twitter for not being more on top of it. According to this postmortem from the Dcortesi blog, the attacks exploited gaping holes that allowed users to insert tags in the URLs of Twitter users' profile pages that called malicious javascript from third-party web servers.

As is frequently the case with XSS-based attacks, the worm was unable to prey on those using the NoScript add-on for the Firefox browser.

Twitter's security team was able to block the attack for a while, but a new assault that made use of "mildly obfuscated" code soon defeated the countermeasure, raising the possibility that it was based on the detection of attack signatures rather than fixing the underlying bug that allowed the XSS vulnerability in the first place.

"The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error?" Italian researcher and NoScript creator Giorgio Maone wrote here. "This would be ridiculous, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that)."

It's not the first time Twitter has been slow to react to vulnerabilities on its site that allow self-replicating attacks against its users. The San Francisco-based company took more than 24 hours to close a separate hole discovered by white-hat hackers last month, while many of the company's employees attended the South by South West conference in Austin, Texas.

"We are still reviewing all the details, cleaning up, and we remain on alert," Twitter co-founder Biz Stone wrote Sunday. "Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future."

Stone declined to answer questions including exactly what changes it planned and how many accounts were infected. He also wouldn't say whether Twitter officials had alerted the FBI or other law-enforcement authorities.

The weekend attacks are reminiscent of other XSS-born worms that have menaced the web. The most notorious of those was the Samy worm of 2005, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. The author was later convicted.

An individual has claimed responsibility for the Twitter attacks, saying here he created the worm "out of boredom". His identity and claims could not be immediately confirmed.

If you think worms on social networking sites are harmless you should think again. Twitter in particular has become a platform for countless companies, organizations and celebrities to share updates with followers who blindly click on any link provided. The attacks so far have been innocuous only because the attackers have lacked sufficient malice.

XSS attacks are serious because they allow miscreants to inject their code of choice into websites that are trusted by millions of users. In turn, attackers can perform drive-by malware installations or steal authentication cookies and other log-in credentials.

And that's just the beginning. As the Dcortesi blog states:

"Had they been playing for real, a more profitable approach would have been to leave your profile URL intact and insert some Javascript that turned your browser into an endpoint on a bot network."

Until Twitter can give better assurances about its procedures for keeping its considerable user base safe from attack, you may want to think twice about clicking on links and user profiles, even when they appear to come from people you know and trust. The site is in the middle of an arms race, and so far it's not at all clear who has the upper hand. ®

More about

TIP US OFF

Send us news


Other stories you might like