Wednesday, April 15, 2009

Bad Guys pwn Twitter

Spam served up through lousy, insecure Twitter web pages:

Twitter was hit over the weekend by powerful, self-replicating attacks that caused people to flood the micro-blogging site with tens of thousands of messages simply by viewing booby trapped user profiles.

The worm attacks began early Saturday morning and were the result of XSS, or cross-site scripting, bugs in the Twitter service. They caused those who viewed the profiles of infected users to post tweets promoting a site called StalkDaily.com. Victim profiles were then altered to include malicious javascript that infected new marks. Over the next 36 hours, at least three similar worms made the rounds, causing Twitter administrators to delete more than 10,000 tweets.

Both my regular readers will remember my recent post about how Amazon might have just run afoul of XSS, too.

El Reg rightly points out that the Noscript plugin for Firefox stops this sort of attack cold.

3 comments:

chrisb said...

That plugin kind of gimps the web a bit. Thanks lazy programmers. You return the rest of us to 1995, because you are to stupid to prevent XSS. It is so easy to avoid too.

chrisb said...

All one has to do is either encode the display of user input, or clean it up before storing it. Seriously, it is stupid easy.

Unfortunately it is all to common. Enable JavaScript and check out this link on my blog for a simple demonstration.

http://www.gunsandguts.com/2009/04/simple-demonstration/

WordPress allows this lol. I suppose I should search for a setting to not allow it, or upgrade and see if it has been fixed.

chrisb said...

Last comment on this I swear.

I must apologize to WordPress. They only allow script injection if you are an administrator, which is as it should be.

Unfortunately, there are thousands of sites that are not so fortunate. Twitter being among them apparently.