Twitter Attacked by Thousands of Tweet Worms

By Craig Buckler
We teamed up with SiteGround
To bring you up to 65% off web hosting, plus free access to the entire SitePoint Premium library (worth $99). Get SiteGround + SitePoint Premium Now

Twitter has fixed a cross-site scripting (XSS) vulnerability which caused thousands of messages to spread throughout the system. Unbelievably, the security flaw was exposed by a simple JavaScript onmouseover function call. It was first exploited by zzap and judofyr following posts by RainbowTwtr earlier today:

Twitter worm

Passing your mouse over the message caused a JavaScript alert and, within hours, spammers were using the flaw to redirect to other websites, change backgrounds, and retweet messages. Fortunately, Twitter fixed the problem before spammers could attempt to steal cookies or load larger JavaScript payloads from external websites.

It should be noted that the bug affected Twitter.com and, potentially, third-party systems opened in a web browser. Security company F-Secure advised users to use applications such as TweetDeck until the problem was fixed. However, all users would have seen rogue tweets.

The system was affected for several hours and a search for onmouseover reveals the extent of the flaw. A few issues surprise me:

  1. Why didn’t Twitter take down the service immediately?
  2. Why wasn’t user input fully sanitized? We all make programming mistakes, but this was a fairly fundamental problem.
  3. Why wasn’t the flaw found sooner? (Perhaps it was introduced in a recent update?)

Please tweet me with your answers. On second thoughts…

More:
The most important and interesting stories in tech. Straight to your inbox, daily. Get Versioning.
We teamed up with SiteGround
To bring you up to 65% off web hosting, plus free access to the entire SitePoint Premium library (worth $99). Get SiteGround + SitePoint Premium Now
Login or Create Account to Comment
Login Create Account