Yesterday UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field where an application developer would normally link to a product website. There are all sorts of malicious things people could have done to exploit the bug, like steal session cookies, create a Twitter worm or even infect unaware visitors with malware, so it’s safe to say this was a massive security threat.
Sure enough, when word got out Twitter moved to patch the bug to prevent such bad stuff from happening. John Adams from Twitter Operations even commented on Naylor’s blog to point out the hole had been closed shortly after he published his post.
Well, not quite.
Naylor today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog box when you visit the link through the website. Twitter may suspend this account soon, much like they did with the first dummy account Naylor created to make his point, so I included a screenshot of what happens when you visit that profile on top of this post.
Naylor writes:
With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets – and they are logged in to Twitter – their account could be taken over.
Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure.
In my opinion, it’s completely unacceptable that Twitter engineers never got in touch with Naylor to learn more about the exploit and adequately fix the problem, which the SEO consultant correctly marks a shame. Instead, the startup’s tech team apparently tried fixing it without really looking at the potential security issues:
Their idea of fixing it is to stop you putting spaces in the address box. Spaces. Other than that, everything else is fair game.
It’s important to note that you’re probably safe when you use any third-party client for your Twitter needs, although I’d recommend you make use of the more popular ones and stop visiting the Twitter website for the next couple of days. Whatever you do, be careful when you click links to Twitter profiles you don’t know, even when they are linked to by people you know and trust, and be on the lookout for suspicious-looking applications used to send out tweets.
We’ve contacted Twitter to let them know the security threat is still very much present. Hopefully, we’ll see an adequate fix and a statement from the startup soon.
Spaces. Twitter has reduced to spaces. That’s very bad.
Twitter’s hiring policy is “let’s hire our friends”. we see every day the downside of the approach.
lets hire our friends who know nothing about computers
That goes without saying. This is a company that not only stores all its confidential data in ‘the cloud’ but does it on a potential competitor’s servers.
Simply put, they are completely inept.
Are any of you using the tweetzi Twitter search tool? It might help add a layer of protection when searching…
http://tweetzi.com
Won’t really help much, best is to LOG OUT, so that just in case you open up twitter the javascript can’t do anything.
Well, that snapshot plugin displayed the Java here on techcrunch. So when hovering over that link to the Dummy account executes te Java.
Maybe good to remove the link, now techcrunch is indirectly executing the Java script in my browser.
alert(”XSS”);
At least here at Techcrunch you are handling XSS
Seriously, it seems TC doesn’t simply escape the comments. So when I try to write alert(”XSS”); it just filter my comment… quite lame
I would imagine that Naylor wasn’t the first to spot this issue and as such, Twitter username and passwords may already be in circulation.
Slightly off point – Robin, your final statement refers to Twitter as a “startup.” I was wondering at what point Techcrunch considers a startup to be be a startup no more?
Exactly. Very troubling. I’ve noticed an increasing trend in spammers and strangers @ replying people at random for no other reason than to get a click back.
Eh I’m not surprised anymore. Twitter hasn’t grown infrastructure wise as fast as their massive userbase has, which just signals to me that the guys behind the scene really have no idea what they’re doing and that outside consultation needs to be considered asap. It’s stuff like this that will cause the downfall of Twitter, just as it did countless other sites like FriendFeed and MySpace. But instead of apps asking for your username and password for functionality, a user’s account can be unwillingly overtaken faster than you can close the account yourself.
Thanks heavens no-one actually uses it for anything important.
I’ve seen several friends’ accounts hijacked and used for spam, apparently only by visiting a twittertrain type website while logged into Twitter. I don’t know if this is a related technique. I don’t understand how it’s possible
Two/Three weeks ago my following count started climbing on it’s own. Every day I would login to find that I am following spammers and other random twitter users. The following count would increase by about 40 each day.
Day in and day out I kept unfollowing the new people I had involentarily followed but, boom, the next day there were a whole bunch of new ones.
I contacted Twitter (twice), I tweeted about it (more than twice) but nothing was done about it.
I changed my password 4 times, twice from a different computer but still the problem didn’t go away.
Eventually the only solution was to unfollow every one and start over again.
Maybe it was something like this that ‘infected’ my account. Dodgy stuff indeed. No thanks to Twitter for never responding to my questions / requests for help.
Thanks for bringing this up TC.
Are you using strong passwords?
Have you been giving your new Twitter password to third parties?
Is your computer really clean?
These passwords had numbers, small letters, caps. You would need to have telepathy to know what the PW was without hacking into something.
I unsubscribed to all 3rd party apps, I then changed the PW again. The whole story.
I then started working on a brand new PC, changed the PW again and it still occurred.
If they could raise millions of dollars for something like this, I’d love to meet with their investors… no, seriously.
and to think, Twitter only has 6 input fields in the settings page, and they can’t even protect that? lmao. Somebody give me millions please
yeah, I have built some sites out there that connect to Twitter and show information. My Twitter sites keep getting hacked with iframe embeds of malicious software in the footer. Some people have nothing better to do, but ruin other sites. (CN, RU, I mean you!)
Every twitter user should be seriously worried about these news, twitter should be more aware and take necessary precautionary measures so that cross site scripting attacks should not happen.
So simple to solve just some regex at the few input forms they have… omg and they get funding?
GL trying to use regex to fix xss
there’s software out there that is updated on a regular basis, due to people trying new combinations. that do a hell of a lot to pretect against XSS
Twitter has turned into one massive spam bot.
Wow that account is still not shut down. What a massive fail and they don’t take the threat serious. What a massive fail.
Quoting:
“it’s completely unacceptable that Twitter engineers never got in touch with Naylor to learn more about the exploit and adequately fix the problem”
Even from the outside the exploit is obvious.
The app’s URL isn’t sanitised OR encoded properly before display. School boy error, and easily fixed.
It’s literally about 10 seconds work, how have they let this through?
Visited the test account linked in the article above, and it appears the exploit is still live. This is one of those issues in which locking down the service until it is corrected would be the better move.
It would be unfortunate to see the downtime, especially with recent events still fresh in everyone’s mind, but with this? I would be happy to wait until it is corrected.
I am amazed at how they have handled this security flaw so far.
you mean at how they haven’t handled it…
In my view, this is A LOT bigger deal than the leaked twitter docs story. I can’t believe these guys with all that VC money A) had this open in the first place and B) did not adequately fix it, contact the guy who found the exploit!
As someone who uses the site over clients, I’m not safe using their service at this point. Totally uncool.
I too experienced some creative Twitter account hacking on August 18th and wrote a post about it: Twitter Accounts Being Hacked Enmasse?
http://searchma...acked-en-masse/
no se si habra algun lector en castellano, pero me parece incredible. lo que no entiendo es que en twitter no esten a la altura, ni tengan la visibilidad, deseo y incluse parece ser, la competencia de solucionar el tema. alguien tiene contacto directo con alguien de la empresa??? es un tema sensible…
Quite interesting!
its XSS, I can’t believe they are not sanitizing all user imput for SQL Injection and XSS… Protecting against these attacks is easy…
Twitter should be taken down until this is fixed.
Oh Dear! Twitter in trouble again? What about not so long ago troubles with documents and passwords? http://www.mone...ords-hacked…/
Recently I read about Twitter problems from not so long ago http://www.mone...ords-hacked…/
Ahahahahahahaha – hahaha, well now I got that out of the way, time to make some money with some traffic brb.
I love stories like this because it hopefully help the rest of us make our systems more secure to this kind of attack.
It’s interesting you call Twitter a ’startup’ when it’s raised over $55 million and been around for well over 2 years. Weird.
Hah! Twitter deleted the test account. Nice “fix”, bozo’s!
blog http://www.sizl...e.blogspot.com/
How do we get rid of all of this of “sharing” crap that has infested your website? I am a selfish guy. So I don’t share. Ever.
It’s a constant ****-storm for them, to be sure. Twitter seems to constantly be having problems, and most I’m sure would never have popped up if it weren’t so popular.
Like MG I’ve also moved on from Twitter, but not for such curmudgeony reasons. We’re in a social-networking bubble, (not unlike the IT bubble almost a decade ago), and Twitter is the Napster of microblogging.
Just another step on the road to fail.
I’m afraid twitter is flawed, and not just technology wise.
This article describes perfectly why this is the case:
Why twitter is ‘gay’
Read this article about how solid is twitter.
http://www.arti...ips-on-twitter/
I got one word for twitter, ZEND.
I bet the French hacker who stole and leaked all those twitter docs really feels dumb now. All that work he went to and all he would have had to do is use this exploit to gain far greater access.
wow really elliot, the french hacker got a lot more sensitive documents that you could get with XSS.
the best case scenario is you get an admin to view your XSS, steal their cookies and login as them.
hope there is an admin section that allows you to view every file on the server, make changes, view passwords. root the server.
the french hacker aquired emails, internet documents, that i am sure are not kept on twitter.com
Remember you can sign up for XSS alerts on sites you own or visit @ http://xssed.com
This will keep you informed if a site you use is vulnerable and should be aware!
Ugh oh.
Wow, really makes you feel safe to be using twitter??!! Thanks for the suggestion William, I’m gonna go check out tweetzi!
RM
NOOOOOOOOOOO!!!!!!
NOOOOOOOOOOO!!!!!!
<script >alert(’NotGoodFor ‘);</script >