Wednesday, September 22, 2010

Twitter Hack: From "Harmless" Exploration to Criminal Action

If you blinked you missed it. I blinked yesterday. I was playing Planes Trains and Automobiles in Maryland and only heard about "the Twitter Worm" when the media contacted me for my comment late in the day. It made some fascinating reading this morning, and should be an important reminder about the dangers of cross-site scripting, or XSS.

Cross Site Scripting has been a known technique since at least 1999, when Georgi Guninski and David Ross warned Microsoft about the technique leading to the January 25, 2000 meeting with CERT as described in the syngress book XSS Attacks: Cross Site Scripting Exploits and Defense. If you really want to understand Cross Site Scripting, in addition to that book, you'll want to keep tabs on the XSS Cheat Sheet maintained by Robert Hansen (@RSnake), who, along with Jeremiah Grossman (@JeremiahG), are the leading experts in this space.

The underlying discovery for all of the Twitter mischief yesterday was that when a URL was followed by an "@" sign, whatever followed the @ sign would also be interpreted as part of the URL. The primary use of this activity yesterday was to show that a URL, even a short and unresolvable URL such as "" could be followed with an "onmouseover=" command which would execute whatever javascript followed when a Twitter reader moved their mouse over that URL.

Yesterday Japanese Twitter explorer Masato Kinugawa said he had reported a Cross Site Scripting bug to Twitter on August 14th, but no one did anything to fix it. In his posting, he provided a link to an article explaining his demonstration, where he could change the color of Twitter posts or pop up "Alert" messages as a way of demonstrating the flaw. In his post, he linked to a "Social Programming" post by Matt Sanford on GitHub: Social Programming that demonstrated the flaw.

Matt's post suggested a long list of tests that a Twitter-client author would want to put into place to make sure that Tweets passed to their Twitter-client were not exploitable via Cross-Site Scripting, as well as many "fixes" that could help when a user accidentally made an error posting a URL which would cause to much of the text to be interpreted as a URL.

Only two hours ago (9 AM US Central Time, 22SEP2010), posted again, this time in English, a warning:

"There is still XSS on Twitter.I have already reported about 2 month ago.I never disclose this until fixed,but Twitter should fix asap."

Reading through Kinugawamasato's posts really is a great tutorial for understanding how the Twitter bug came about. I'm happy to report that my Firefox NoScript plug-in worked to block all of these things, dutifully reporting "Possible Cross-Site Scripting" alerts when I looked at Kinugawa's posted links.

While Twitter already killed Kinugawa's original "@rainbowtwtr" account, Kinugawa had actually created a backup account as well, where his August 14th demonstration is still available to be seen:

Kinugawa strikes me as a reasonable "full disclosure" researcher who is working with the "good guys" to find ways to protect from XSS. Unfortunately, as often happens to the Full Disclosure Crowd, as soon as his revelations were made public, others pounced on them to do "more evil" things.

One example of this would be that using this technique of passing JavaScript commands to Twitter, another user learned how to create a Worm, where every person who fell for the JavaScript "onmouseover" exploit, would propagate the message themselves.

JudoFyr claims to be the first to turn the "onmouseover" into a Twitter worm, using this technique:

The val(this.innerHTML);$('.status-update-form').submit() was his key to resending the message back to Twitter.

Others then took the "still intending to be innocent" worm, and hooked it up to spread malicious links. One example of the latter used an encoding technique to push a particularly popular URL which may have been tweeted a few hundred thousand times yesterday:




People kept looking at that URL and saying "I don't get it! How is "u002f" a website?

Its not, its a Unicode Encoded "/", which has the ASCII value of "2F". So this code really called the URL shortening service "" and asked for the URL with the shortcut "fl9A7". That URL was the shortcut for the site:

which caused visitors to repost a twitter status that propogated the twitter message. pulled Javascript code from:

which forwarded visitors to a Japanese porn website on ""

FlashBack Moment

Some of you will probably have had the same reaction to this worm as I did -- a Flashback to the Samy MySpace Worm. In that worm, Samy Kamkar spread a worm that caused any MySpace member who saw his code in a browser to make Samy their "friend" and then post a link to all of their friends' MySpace pages, declaring "Samy Is My Hero" and containing the malicious code.

Samy was sentenced on January 31, 2007 - convicted as a felon for violation of Penal Code section 502(c)(8) and placed on three years probation and ordered to serve 90 days of community service.

Samy's timeline and other events related to the worm are retold on the page I'm Popular. Apparently the goal of the worm was to find pictures of random hot girls to look at. That page contains a screen shot Samy took showing that he had 919,664 friends at that time.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.