The Vulnerability Threat

Social networking sites, such as Twitter, are nowadays a leading target for hackers. The reason is simple… such sites have large user-bases; by infecting a social networking site, attackers can get to a whole lot of users… with less effort of course!

Almost 24 hours after the first cross-site-scripting (XSS) attack, Twitter.com was under attack again by the “Mikeyy Twitter”. This new threat came only a few hours after Twitter announced the fixing of a security vulnerability that the “StalkDaily” worm had exploited to spread world-wide. The “Mikeyy Twitter” attack also wreaked havoc by generating an estimated 1500 ‘malicious’ tweets a minute. Since then, numerous other attacks are said to have taken place; all of which used script injection and exploited a major XSS vulnerability in Twitter.

What is Cross Site Scripting (XSS)?

XSS is a technique primarily used by malicious users to obtain sensitive data. This technique exploits weaknesses in the user-input validation checks of a webpage by filling in text entry fields on a web page with malicious code using common technologies, including JavaScript. This results in the injection of commands that make the website behave erratically, and is usually done with the intent of illicitly acquiring sensitive data, such as credit card and other personal details. In the case of Twitter, however, the exploit leads users to unwittingly post specific messages. In some cases, the attacker also manages to get hold of user credentials and subsequently hijack the Twitter account.

How Can Hackers Access My Account?

In the past, Yahoo! had a similar problem where malicious users were taking advantage of similar vulnerabilities to steal authentication cookies from Yahoo! users and transmit them to a website owned by the attacker. Consequently, the attacker was equipped with information that allowed him to access third party Yahoo! Accounts, including Yahoo! Mail.

Hacker Croll is notoriously known for his ability to gain access to the personal data of celebrities and other high profile persons by helping himself to email addresses and contact details. Celebrities in his hit-list have included Britney Spears and Ashton Kutcher. Hacker Croll also managed to gain access to the account of Twitter’s product management director Jason Goldman.
How did he do it? Hacker Croll admitted to first gaining access to Goldman’s Yahoo! account and later managed to find out his Twitter password.

“One of the admins has a Yahoo! account; I’ve reset the password by cracking the secret question. Then, in the mailbox, I have found her [sic] twitter password,” Hacker Croll said Wednesday in a posting to an online discussion forum. “I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection.”

Has the XSS issue been fixed?

Twitter are claiming that they have fixed the problem; however, Lance James and Eric Wastl , two security researchers for Secure Sciences Corporation have  announced that users are potentially still at risk.

To back up their claim, the two have set up a proof-of-concept URL. The shortened version of the proof-of-concept URL link has since been disabled by the TinyURL, service, yet the full URL is still available at: http://www.securescience.net/twoubledtwitter.html

Clicking this link will first warn users of what they are about to do and then ask them if they want to proceed.  On clicking the “OK” button, an automatic message is posted that reads “@XSSExploits I just got owned!” on their Twitter page.

“With a technology such as Twitter, I could use it to infect massive amounts of twitter readers/users, say with malware or steal their accounts, etc.”, Lance James explains for The Register.

What needs to be done?

The issue seems to stem from Twitter’s application programming interface (API). This API is used in applications like TwitterFox, through which users can post tweets. The cause seems to be a bug in the URL filtering mechanism that allows users to insert malicious JavaScript code along with a URL.

So, to start with, Twitter’s application programming interface (API) needs to implement some sort of input handling and preferably use a Whitelist strategy to check whether input should be terminated or not.

Sounds simple, yet it transpires that by the time of writing, the patch released by Twitter failed to fix the issue – so the vulnerability is still present! Until Twitter finds an effective fix, it is important that Twitter users are cautious. Attackers could capture their account credentials, redirect users to a site of their choosing, alter user’s tweets or “followers,” as well as send messages from a compromised account!

Tips, actions and recommended countermeasures against Twitter exploits:

  • Keep in mind that not everything on the Internet is 100% safe and it never has been. Be careful when visiting links.
  • Keep an eye out for Twitter status updates
  • If Firefox is your browser of choice, make sure to install No Script Plug-in. This add-on will protect you against XSS and “Click jacking” attacks.
  • Modify your hosts file to prevent unauthorized transfer of data to or from any domain. It provides protection against unwanted access to domains you might want to block. As soon as details of the Stalkdaily injection became available, users added these to their hosts file:
    127.0.0.1 stalkdaily.com (the domain tweets were linking to);
    127.0.0.1 mikeyylolz.uuug.com (the domain the script was being loaded from).
    For more details on how to do this please visit:
    http://howto.wikia.com/wiki/Howto_block_webpages_and_domain_using_the_hosts_file
  • Do not browse to any sites while logged on to another site. When a user logs on to their account, ISA (Internet Security and Acceleration) Server issues a cookie identifying that user. On subsequent user requests, the system first checks the cookie to see if the user was already authenticated, so that the user does not have to supply credentials again. It is therefore important to always log off from your email / twitter account before navigating to another webpage to delete this cookie. If you do not log off before navigating to another site, attackers may gain access to your credentials from the cookie as this is still saved. Current versions of popular web browsers include options to delete ‘persistent’ cookies when the webpage is closed.
  • Make sure that your account password:
    o Is changed frequently – at least once a month
    o Is at least 8 alphanumeric characters long.