Twitter Attacked by Thousands of Tweet Worms

By Craig Buckler

Twitter has fixed a cross-site scripting (XSS) vulnerability which caused thousands of messages to spread throughout the system. Unbelievably, the security flaw was exposed by a simple JavaScript onmouseover function call. It was first exploited by zzap and judofyr following posts by RainbowTwtr earlier today:

Twitter worm

Passing your mouse over the message caused a JavaScript alert and, within hours, spammers were using the flaw to redirect to other websites, change backgrounds, and retweet messages. Fortunately, Twitter fixed the problem before spammers could attempt to steal cookies or load larger JavaScript payloads from external websites.

It should be noted that the bug affected and, potentially, third-party systems opened in a web browser. Security company F-Secure advised users to use applications such as TweetDeck until the problem was fixed. However, all users would have seen rogue tweets.

The system was affected for several hours and a search for onmouseover reveals the extent of the flaw. A few issues surprise me:

  1. Why didn’t Twitter take down the service immediately?
  2. Why wasn’t user input fully sanitized? We all make programming mistakes, but this was a fairly fundamental problem.
  3. Why wasn’t the flaw found sooner? (Perhaps it was introduced in a recent update?)

Please tweet me with your answers. On second thoughts…

  • PeteW

    1. Because Twitter couldn’t be Twitter without Twitter, some platforms weren’t affected, and it should have been a fairly quick fix?
    2. Agreed, big mistake.
    3. Because flaws are never found until they are. Point 2 aside, we all know that no amount of testing can make anything 100% perfect, so it boggles me that people always ask questions that can only exist with the benefit of hindsight, and can only be resolved by time travel. :-)

  • Anonymous

    “…it boggles me that people always ask questions that can only exist with the benefit of hindsight, and can only be resolved by time travel.”

    While I don’t think the writer meant any ill will by his comment, I do agree with you. I see this sentiment expressed in various media and by ‘regular’ folks as well – not only related to software/technology.

    It is perhaps good to ask the question of ourselves in order to devise strategies to discover problems sooner. For others, let’s breathe deep and give folks some slack. I am quite sure that Twitter or anyone else caught up in a similar situation would have corrected the issue sooner had it come to light sooner.

  • From what I’ve heard, the bug caused browsers to crash, auto-retweeting, and internal server errors. The consequences could have been far worse had users been exposed to phishing sites, malware or other intrusions. It was a relatively easy fix, but Twitter could have taken down the main website when the problem arose.

    I accept hindsight is a wonderful thing but I’m surprised the flaw wasn’t discovered earlier. The system has been around for 4 years, user growth has been exponential, and basic XSS exploits are easy to discover. Spammers attempt to compromise minor websites, so Twitter must have been a major target. Perhaps it was too obvious? Maybe the 140 character limit thwarted serious attempts?

Get the latest in Front-end, once a week, for free.