Let’s Twitterbug – Twitter users assailed by “Pied Piper” bug

In the famous legend of the Pied Piper of Hamelin – 130 boys and girls, enticed by the Piper’s haunting melody followed him out of town, where they were lured into a cave and never seen again.

Now users of the famous social networking site, Twitter, are vulnerable to a Pied Piper-type bug. The bug forces victims to follow the hacker’s account, a security researcher said Thursday.

Twitter is a free social networking and micro-blogging service that allows users to send updates (otherwise known as tweets).

According to Aviv Raff, the Twitter vulnerability could expose users to malware-hosting Web sites.

“It can force people to follow you, which means all your twits will be showed in their Twitter home page — including potentially malicious links,” Raff said during an interview conducted via instant messaging.

On a site dubbed “Twitpwn” that he launched earlier today to report research he’s done on the social networking and micro-blogging service, Raff spelled out only the basics. “Twitter security team was notified on 31-July-2008,” he said on the site. “Technical details will be added as soon as this vulnerability will be fixed.”

Twitter will have a fix in place by Friday, Raff added.

An attacker can currently leverage the bug by tricking users into clicking on a link on a malicious or hacked Web site. From that point, the victim’s Twitter account is automatically set to follow the attacker’s.

On Twitter, “following” another means receiving all updates, or “tweets,” sent by the other user. Those tweets are collected and displayed on the following user’s Twitter home page, or on their phone or in their instant messaging client.

This Twitter bug is the newer of a pair that Raff has found on the service. Last week, he reported another vulnerability that allowed spammers and phishers to send e-mails that included links to malicious sites to other Twitter users. Twitter patched that flaw today.

Expect more Twitter research, Raff said. “I’m working on several ways to abuse Twitter as a platform [and I’ll] publish my research in this blog when I’m done,” he said, referring to his Twitpwn site.

Raff is better known as a browser vulnerability researcher, notably for his part in May in uncovering a threat posed by the “carpet bomb” bug in Apple Inc.’s Safari to users of Microsoft Corp.’s Internet Explorer.

Most recently, he warned of several bugs in Apple’s iPhone that could be used by phishers to dupe users into visiting malicious sites or by spammers to flood the phone’s in-box with junk mail.

Software that steals your credentials

In other security news, at the Black Hat conference in Las Vegas next week, researchers will demonstrate software they’ve developed that could steal online credentials from users of popular Web sites such as Facebook, eBay and Google.

The attack relies on a new type of hybrid file that looks like different things to different programs.

By placing these files on Web sites that allow users to upload their own images, the researchers can circumvent security systems and take over the accounts of Web surfers who use these sites.

“We’ve been able to come up with a Java applet that for all intents and purposes is an image,” said John Heasman, vice president of research at Next Generation Security Software Ltd.

They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file types that are mixed. At Black Hat, the researchers will show attendees how to create the GIFAR but omit a few key details to prevent it from being used immediately in any widespread attack.

To the Web server, the file looks exactly like a .gif file. However, a browser’s Java virtual machine will open it up as a Java Archive file and then run it as an applet.

That gives the attacker an opportunity to run Java code in the victim’s browser. The browser then treats this malicious applet as though it were written by the Web site’s developers.

Here’s how an attack would work: A bad guy would create a profile on a popular Web site — Facebook, for example — and upload his GIFAR as an image on the site.

Then he’d trick a victim into visiting a malicious Web site, which would tell the victim’s browser to go open the GIFAR. At that point, the applet would run in the browser, providing the hacker access to the victim’s Facebook account.

The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or Amazon.com, they say.

Because GIFARs are opened by Java, they can be opened in many types of browsers.

There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. “The attack is going to work best wherever you leave yourself logged in for long periods of time,” Heasman said.

There are a couple of ways that the GIFAR attack could be thwarted. Web sites could beef up their filtering tools so that they could spot the hybrid files. Alternatively, Sun Microsystems Inc. could tighten the Java runtime environment to prevent this from happening. The researchers expect Sun to come up with a fix not long after its Black Hat talk.

But researchers say that while a Java fix may disable this one attack vector, the problem of malicious content being placed on legitimate Web applications is a much larger and thornier issue.

“There will be other ways to do this, with other technologies,” said GIFAR developer Nathan McFeters, a researcher at Ernst & Young LLP’s Advanced Security Center.

“In the long term, Web applications are going to have to take control of the content,” McFeters said. “It’s a Web application issue. The Java attack that we’re currently using is just one vector.”

He and his fellow Black Hat presenters have entitled their talk “The Internet Is Broken.”

Ultimately, browser makers will have to make some fundamental changes to their software, too, said Jeremiah Grossman, chief technology officer at WhiteHat Security Inc. “It’s not that the Internet is broken,” he said.

“It’s that browser security is broken. ‘Browser security’ is really an oxymoron.”

Share on LinkedIn Share with Google+