Attacks/Breaches
9/21/2010
03:31 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Twitter Attack An XSS Wake-Up Call

Attackers targeted once-patched cross-site scripting flaw on Twitter's website that had re-emerged after a site update

The high-profile attack that hit the Twitter website early this morning and affected tens to hundreds of thousands of Twitter users serves as a reminder of just how the pervasive but often-dismissed cross-site scripting (XSS) vulnerability could potentially be exploited to do more serious damage.

Twitter late this morning quickly fixed the XSS flaw hackers used to wage an attack that blended both XSS and cross-site request forgery (CSRF), and the attack appeared to have little to no lasting damage. But security experts say it represents a wake-up call that the XSS bug, which typically litters many websites and is often considered relatively benign by website operators and developers, is a real problem that should be taken more seriously. It's not uncommon to find 100 XSS bugs in just one application, they say.

The XSS bug that plagued Twitter's website today had actually been patched by the social networking firm last month, but reappeared after a recent update to the site (but not the current new Twitter platform rollout), according to a Twitter blog post today.

"From a Web app security industry perspective, it's another kind of barometer showing these kinds of attacks are real and can happen," says Ryan Barnett, a senior security researcher with Trustwave's SpiderLabs. "The outcome of this was minimal. There was no permanent damage. But this is showing a proof-of-concept that the bad guys are tinkering and able do this stuff. If they are choosing to do something more destructive, it's going to be a big deal."

Beth Jones, senior threat researcher for SophosLabs North America, says this is one of the first times a major site has been hit with a big XSS attack. "We see cross-site scripting bugs all the time, but this is a really big one," Jones says. "It's showing how browser attacks have not died in any way, shape, or form."

The initial attack sent pop-ups and, in some cases, a "rainbow Twitter" post, and then redirected users to Japanese pornographic sites. Among the affected accounts was that of White House press secretary Robert Gibbs.

XSS is one of the most common vulnerabilities in websites; according to recent data from IBM X-Force and HP/TippingPoint, it remains the No. 1 flaw discovered in Web applications. Nearly 35 percent of all vulnerabilities reported in the first half of this year were XSS, according to IBM's data. XSS bugs appear when Web applications don't properly validate user input from URLs or form fields, and attackers then can sneak their own code onto a page the user visits.

The initial XSS attack on Twitter this morning began before 6 a.m. Eastern Time with users submitting JavaScript code as plain text into a tweet that then was executed in victims' browsers.

"Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an 'onMouseOver' flaw -- the exploit occurred when someone moused over a link," according to Twitter's blog post.

"onMouseOver" is a feature in JavaScript that allows script to run when a user moves its mouse cursor over a link. Then the user would inadvertently tweet a message.

Then other users added code that forced victim accounts to retweet the original tweet without their knowledge, according to Twitter. Twitter says only Twitter.com was affected and not its mobile site. User account information wasn't compromised in the attack, which mostly was used for spamming purposes, according to Twitter.

That second step was a CSRF attack, which is often paired with XSS in a deadly one-two punch, security experts say. The pop-ups were basically a localized browser exploit, which was XSS. "But if the intended payload with Twitter forced end users to request to Twitter to update their status, and it uploads their status ... it propagates and becomes a CSRF," SpiderLabs' Barnett says. "Twitter doesn't know rogue malware is doing it."

Aside from fixing the XSS bug, he says, Twitter should also be checking its CSRF defenses. "Because this is made wormable, that means that Twitter needs to go back and look at its CSRF defense," he says. "How can we make sure if [a user is] posting a status updated that this legitimately came from our [Twitter's] site and that the user intended to do this?"

Barnett says Twitter does have some CSRF mitigation features, namely a CSRF "token." "But unless they can stamp out the underlying XSS [vulnerability], the code people can scrape the CSRF token and take it. They need to address both" XSS and CSRF, he says.

Why are XSS bugs so difficult to avoid in code? Aside from a lack of knowledge about it among many developers, XSS is especially a risk to Web 2.0 applications such as Twitter because they often interface with widgets and other third-parties. It's not easy to accurately track user-supplied data and identify where it's being used securely, SpiderLabs' Barnett says.

Barnett says the resurfaced XSS flaw in the Twitter platform might have been a case of the fixes never getting fully ported to the code repositories. "This is probably a scenario where the security/developers implemented hotfixes/patches to mitigate the issue, however they never fully back-ported the fixes into the code repositories," he says. "When new code was developed and pushed into production, it reopened these vulnerabilities."

It's impossible to write completely clean and bulletproof software, SophosLabs' Jones notes. "Everyone is under time constraints; they have to get code in on deadlines," she says. So security isn't always part of the equation, she says.

Meanwhile, the XSS-CSRF attacks hit at a time when Twitter is migrating its user base to a new platform, a.k.a. "New Twitter." SophosLabs' Jones says she doesn't think the attackers' timing was a coincidence. "They did it deliberately to show that they don't think Twitter is ready ... or to give Twitter a black eye," Jones says.

A Twitter user with the handle "kinugawamasato" claims to have found the XSS bug. He tweeted today that he found the XSS bug, although other hacker members were scrambling to see who got to it first.

Twitter last summer suffered a Koobface worm infection, which led to the temporary suspension of user accounts found spreading the worm.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.