News Stay informed about the latest enterprise technology news and product updates.

Cross-site scripting Twitter attack causes chaos

A cross-site scripting Twitter attack could have been exploited to spread dangerous malware and steal user data, experts said.

The popular social network, Twitter, said it has fixed a vulnerability that enabled a cross-site scripting (XSS) attack, which wreaked havoc for a short time Tuesday when a user exploited the error to cause people to unwillingly spread a message and annoy victims with pop-up windows.

It was entirely possible to do much more damage using cross-site scripting to Twitter and its users.

Jeremiah Grossman,
chief technology officerWhiteHat Security Inc.

Victims of the Twitter attack only had to scroll over the Twitter message, which then activated the malicious code. Once activated, the message was reposted and viewable by the victim's followers, allowing it to quickly spread across the website, like a worm. Pop-up windows led victims to third-party websites peddling porn.

In a Twitter post, the company said it fully patched the flaw: "We don't believe any user info was compromised."

In a blog post about the incident, Bob Lord of Twitter's security team said that the XSS issue was discovered and patched last month. A recent code update didn't include the patch, reopening the bug, he said.

"Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts," Lord wrote.

The incident comes at a time when Twitter is under fire to improve its security and create more transparent processes. In June, the company agreed to periodic third-party reviews of its security program over the next decade, after a series of incidents that prompted the Federal Trade Commission to investigate. Twitter admitted it had numerous security issues that led to multiple breaches of its systems between January and May 2009. The latest problem involved no loss of user information, Lord wrote.

Malicious JavaScript was used to exploit the Twitter vulnerability. Experts said the incident is a result of a software development process issue. When a developer repairs a vulnerability, it is typically rolled back to the main development team so that future code updates will include the "on-the-fly" repairs, said Jeremiah Grossman, chief technology officer of Santa Clara, Calif.-based application testing vendor White Hat Security Inc.

"In many cases, the process oversight did not take into account for any hot fixes in production and failed to roll them back into development," Grossman said. "It came back to bite them. In this case, it was entirely possible to do much more damage using cross-site scripting to Twitter and its users."

Jeff Williams, chair of the OWASP Foundation and CEO of Columbia, Md.-based Web application testing vendor Aspect Security Inc., said the flaw could have been used to redirect victims to malicious websites forcing malware downloads.

"It could have been used to cause some real damage, because with cross-site scripting, the worst thing you can do is redirect someone to malware," Williams said.

Fundamental website vulnerabilities enable XSS attacks, Williams said. An attacker can insert malicious code in the form of a link that appears to be from a trustworthy source. If the link is clicked, or in this latest attack, moused over by the victim, the malicious code executes in the victim's browser, enabling an attacker to steal data, redirect the victim to a website containing more malware or simply control the behavior of the form or the webpage the victim is browsing on.

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.