Feeds

Twitter botches patch for nasty account-hijacking bug

All your tweets are belong to us

The Essential Guide to IT Transformation

For the past 24 hours, Twitter engineers have been fighting a gaping hole that makes it easy for hackers to hijack the accounts of users who do nothing more than view a booby-trapped message.

So far, the hole is winning.

The XSS, or cross-site scripting, bug resides in an application programming interface Twitter provides to makers of dedicated software that works with the service. The hole makes it trivial to bypass protections that prevent user supplied javascript from being served on the twitter.com domain. After Twitter claimed to have fixed the vulnerability Tuesday, security researchers quickly figured out a new way to exploit the weakness. At time of writing, it remained wide open.

The bug was first reported by blogger James Slater in a post that demonstrated it could be used to run arbitrary code on the machines of people who did nothing more than view a booby-trapped tweet. Once viewed, the message pulls down the javascript that, if users are logged in, has the potential to change profiles, post tweets and steal authentication cookies.

"With a few minutes work, someone with a bit of technical expertise could make a Twitter 'application' and start sending tweets with it," Slater wrote here on Wednesday. "Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do."

The bug is the latest to highlight weaknesses in the Web 2.0 service used regularly by millions of subscribers. This time around, attackers are abusing an API that makes it simple for people to write stand-alone applications that send and read messages delivered over Twitter. The interface reserves space in each tweet for the name of the application. Slater showed that the box can be used to invoke potentially harmful javascript that Twitter has taken pains to block in other parts of its service.

"That's a pretty big oversight," said Jeff Williams, CEO of web application security firm Aspect Security. "It's not uncommon when companies move from web services to APIs. They don't take the same level of security scrutiny and apply it to the interface."

Slater put it a little more forcefully. "Twitter made one of the most basic mistakes in developing web applications - never blindly trust data that is provided from the outside world!" he wrote. "Their form did no - or some very, very basic - checking on what you enter in the box."

Twitter's first stab at fixing the bug involved code that invalidated any links in the box that contained spaces, said Aviv Raff, a researcher whose recent month of Twitter bugs spent 30 days documenting more than 50 vulnerabilities affecting the site. Like Slater, he was able to bypass the fix by including URLs that contained no spaces.

"Not so smart [a] way to fix a vulnerability," he said.

What that means is that if you use many web browsers to view Twitter, it's possible, at least at time of writing, for someone to change your profile settings, send a message to all of your followers that appears to come from you or to steal cookies Twitter uses to help authenticate you. People who use third party apps to view tweets are less vulnerable, as are those who use Internet Explorer 8 and Firefox with the NoScript plugin. (In this case, a test account we used was successfully attacked using the latest version of IE, and Raff says NoScript isn't likely to fare any better.)

The alacrity Twitter showed in trying to fix the bug suggests its security team is getting more serious about fortifying the heavily trafficked site. And for that, they deserve a pat on the back.

But the failure shows the team still has work ahead of it.

It's also worth mentioning that many of the third-party applications used to send and receive tweets remain woefully insecure, according to Raff, who said a dozen or so of the bugs he discovered remain unpatched. They reside in apps such as HootSuite, TweetGrid, tr.im, TweetDeck and Twhirl. The common denominator among almost all of them: the Twitter API.

The API is so "easy to implement, that even novice developers can use it," he told The Register. "Which means that insecure apps are being developed." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.