Twitter patches flaw after malicious link runs rampant

A serious security flaw was apparently found on Twitter on Tuesday but was quickly fixed. Hackers had exploited a flaw in Twitter, which results in pop-ups and third-party websites being opened despite users simply hovering over links with their mouse.

Hundreds of Twitter users, including Sarah Brown – wife of the former Labour Prime Minister Gordon Brown – have fallen victim to the attack. In some cases the third-party websites that are open are pornographic.

The malicious links contain Javascript code, called onMouseOver, which allows users to redirected, even if they haven’t clicked on the link.

The problem was a cross-site scripting flaw, wrote Georg Wicherski of Kaspersky Lab on the company’s blog.

Related Story: Rogue ‘sexiest video ever’ app pummels Facebook users’ PCs

Cross-site scripting is an attack in which a script drawn from another Web site is allowed to run that shouldn’t, which can be used to steal information or potentially cause other malicious code to run.

Wicherski wrote that it appeared a user only needed to hover over a malicious link in order to trigger the flaw, but another test showed that no user interaction was required.

“It is possible to load secondary JavaScript from an external URL (Uniform Resource Locator) with no user interaction, which makes this definitely wormable and dangerous,” Wicherski wrote.
Graham Cluely from security firm Sophos said in a blog that at present the flaw is being exploited for “fun and games” although “there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed”.

“Hopefully Twitter will shut down this loophole as soon as possible – disallowing users to post the onMouseOver JavaScript code, and protecting users whose browsing may be at risk,” he added.

Using malicious Javascript, attackers were able to force “retweets” of specific status updates—some close to 30,000 times—if users so much as moused over an infected tweet while logged in. Only the Twitter Website itself was affected; folks who relied on desktop or mobile versions of Twitter wouldn’t have noticed the exploit, save for a few appearances of the nefarious tweets in their timelines.

By around 9:45 a.m. Eastern time, Twitter had acknowledged the attack and begun working on the fix for its breakfast-chronicling, celebrity-stalking, microblogging network. The company reports that the patch to fix the vulnerability is rolling out across its servers.

“We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit,” the company wrote on Tuesday afternoon.

Cluley advised Twitter users to avoid using the Twitter website and instead rely on a third-party client such as Tweetdeck to access the service.

At around 2:50pm this afternoon (GMT), Twitter’s @Safety feed posted the following message, suggesting that the problem was solved.

Code for the attack was posted on the IRC instant messaging service, Wicherski wrote. Other people who noticed the issue posted several harmless proof-of-concept demonstrations, wrote Paul Mutton of Netcraft. The flaw could have allowed something as benign as a pop-up message when mousing over a tweet, as shown on Netcraft’s blog.
But Mutton wrote that one user demonstrated more serious possibilities such as stealing cookies. Cookies are small pieces of data stored in a Web browser that are used for tracking users and remembering if a user wants to stay logged in to a Web site.

Audits of Web sites have shown that cross-site scripting flaws are among the most common Web application vulnerabilities.

IBM’s annual X-Force Trend and Risk Report found earlier this year that cross-site scripting attacks overtook SQL injection as the number-one type of Web application vulnerability. SQL injection attacks occur when commands are inputted into Web-based forms, which can cause back-end databases to reveal data if those databases are not configured properly.

Another survey by WhiteHat Security, a company that specializes in finding Web application vulnerabilities, found there’s a 66 percent chance a website will have a cross-site scripting problem.

With notes from Lex Friedman and Carrie-Ann Skinner

Share on LinkedIn Share with Google+