On Tuesday, September 21 a cross-site scripting (XSS) vulnerability in Twitter became publicly known and was exploited by attackers, as well as many curious copycats with non-malicious intentions. An issue surrounding the parsing of attributes of posted links allowed JavaScript code to be executed whenever a user hovered over a link with the mouse. According to Twitter, the vulnerability had been patched a month ago, but resurfaced with a recent code change. Some users started to misuse the vulnerability as a new feature, adding things like rainbow-colored text boxes or harmless pop-up boxes to their tweets.
It comes as no surprise that this vulnerability was also used for malicious purposes. You can’t really blame users for getting infected, as they didn’t even click on the suspicious links. Rolling over any of the specially crafted links was sufficient to start the embedded JavaScript code, since it used the “onmouseover” event as a trigger. This is one of the major problems with such XSS attacks—it is difficult to give good protection advice that a user can easily follow. Even tech-savvy users, used to mousing over a link to check the domain prior to clicking it, are at risk in this case. Ten years ago, typical advice was “don’t open attachments contained in emails from strangers.” Today you would need to say “don’t visit any websites”, which isn’t really practical. Using add-ons like NoScript will not protect you fully from such attacks, since one of the main points of a XSS attack is that the script is redirected by the original domain itself.
After a short while the attacks started to pick up. Some people used the script to automatically repost the message under the user’s account, spreading the message from account to account. Others redirected the unknowing users to unrelated sites, including Rickrolling. About the same time, a few worms that included remote code started to do the rounds. The author of one of the XSS worms later said that he saw at least 200,000 messages from people infected with his creation. Of course some users had more sinister ideas and redirected the users to malicious sites or scam surveys. So even though we can say most of the observed attacks were not devastating and did not steal user credentials, it’s a serious occurrence never-the-less. But this incident has not been the first of its kind – as an example we saw a few Twitter worms last year—including the worms from Mikeyy—that spread through the social network.
These kind of attacks are of course not limited to Twitter alone. Similar issues can happen on other social networks, especially since XSS vulnerabilities are not as rare as one might think. The archive at one XSS reporting website lists several entries for each major social network:
XSS attacks on social networks do happen and can be more than just a nuisance, redirecting users to malicious websites or extracting private information from user accounts. The first step towards protecting yourself against these attacks is to be aware of them. To learn more on the risks of social networking then check out our whitepaper explaining the most common threats.