Twitter Suffers Web Interface Exploit

HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."

First Post

[Anonymous Coward]

http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/

Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:First Post

[blai]

RT @Anonymous\ Coward http://t.co/@ [t.co] [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/ Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:

[SimonTheSoundMan]

Requires one word — "ROTFL".

Re:

[Crudely_Indecent]

Which one of the five words represented by that acronym [acronymfinder.com] are you referring to?

Re:

[goombah99]

How does this actually work? It's usually hard to write a program that can print itself out. And to do that in so few characters would be even harder. However it looks like this one is somehow cheating and asking the containing document to tell it it's own content. But I'm not a good java script programmer to understand it.

Re:

[c6gunner]

Easy. The "innerHTML" bit of the code gets the entire contents of the current element, and the rest of the code puts it into the input box and submits it. It's not "cheating" in any sense of the word. You might be having a hard time parsing the code because it's not exactly pure JavaScript - it's using jQuery.

Re:

[somersault]

It's all a ruse. If someone tries to mod him down, he shall become more powerful than we could possibly imagine. Or at least, the script will start working :0

Re:

[rickb928]

Naw. ACs have a short lifespan. They were made [wikipedia.org] that way. We need not concern ourselves with them unless they become dangerous.

What dangerous is should be obvious.

Re:

[somersault]

What dangerous is should be obvious.

Able to make their way up the basement stairs?

Well

[The MAZZTer]

I'm sure glad all the tweets about this have the #mouseover hash tag so I can click on it in my client to open the twitter.com web interface and read about how I shouldn't use the twitter.com web interface.

Re:

[The MAZZTer]

Looks like any JS event for anchor tags can be used (I just made one using the sample seen in the article for an onclick handler that returns false).

Re:

[The MAZZTer]

Oh fun, the Chromed Bird extension for Chrome will happily inject onmouseover events into its popup HTML too. Good thing extensions are sandboxed.

Or mobile

[bbtom]

If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/ [twitter.com]

Re:Or mobile

[bbtom]

The conditional word "if" was included for your convenience.

Re:

[JustOK]

So, if he doesn't want to use the web interface, then is the mobile version affected or not?

Re:

[Bonewalker]

If a social media hub is infected with a virus and no one is around to mouse-over it, would it still make Slashdot's front page?

Re:

[JustOK]

question would be how many dupes would appear.

Hmm

[grub]

Why, again, should I be using Twitter?

Re:Hmm

[MrHanky]

It's the best, perhaps only way to automatically retweet. That's a fairly unique service.

Re:

[somersault]

Can't really tell if that's a joke about the article, or whether that's actually meant to mean something useful. Doesn't really help answer his question either way..

Re:

[Pojut]

I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

Re:

[grub]

Yes, for that I agree, should have clarified and meant as a 'tweeter'.

Still think I nailed it when I wrote "Twitter: the UDP of human conversation. -me" [slashdot.org]

Re:

[kisrael]

Ironically, your clever (and shibboleth-ish; I had to google UDP to make sure I got it) line about twitter is an excellent example of what twitter is excellent for, as a "tweeter" -- the sharing of an engaging twist of perspective.

There's a lingering perception of twitter as a "what I'm having for dinner right now" kind of thing, but in practice that's a small fraction of the use of it (YMMV)-- conversely I would say Twitter's "right in the moment" aspect makes such talk a little more engaging and less bana

Re:

[grub]

Well, we're even. I had to google "shibboleth" :)

Cheers!

Re:

[grub]

I've posted it once before, google will prove it. Nice troll, though.

Re:

[MobileTatsu-NJG]

I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

But.. but.. but... it's mainstream! And mainstream stuff, especially things that require 'followers' or 'friends', is dumb and stupid and totally beneath us nerds! I prefer to use email and other less ideal solutions that this thing does elegantly!

Re:

[coryking]

Twitter is hardly mainstream. Out of a huge assortment of people I know, almost all of them, nerds or technophobes have a facebook account. I have only met one person who claims to use Twitter.

Twitter is pure, 100% hype. It is the most hyped ".com" I've seen since, well, the dot.com days. Seriously. Twitter is not mainstream in the least.

Re:

[MobileTatsu-NJG]

"Twitter is hardly mainstream.... It is the most hyped ".com" I've seen since, well, the dot.com days."

Heh. Seriously? It's more hyped than any .com and it's not mainstream?

Two billion tweets in a 3 month period? Every business and their mother advertising 'follow us on twitter!' The word 'tweet' being widely recognized by most Joe Schmoe's?

Okie doke. Not mainstream at all.

Re:

[kisrael]

I can't tell you why you should be using Twitter, but some of us have friends or know of folks online who are good at dropping the pithy bon mot, or find it a convenient way to announce things.

Why again should you be using email? Or SMS txt'ing? Or slashdot?

Re:

[NotBorg]

Email? Meh, old news. Texting? Meh, newfangled. Slashdot? Ah Slashdot: You will never find a more wretched hive of scum and villainy. We must be cautious.

Re:

[AbRASiON]

I have mod points, so it's really hard to decide if I should reply or just send your obvious bait into oblivion.
Instead I'll bite though.

I hated twitter when I first heard about it, I didn't 'get' it. Now, having used it - it's the most powerful communications tool I've ever seen, period.
It's a perfect replacement to SMS, I can see if events are occuring internationally almost instantly, I can broadcast things to all or keep them private. It's an incredible tool for sharing information and frankly should

Re:

[tehcyder]

For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?

In fact, I would say it is the communication (real or imagined) with "famous" people that makes it so appealing. When you lo into Film Star A's blog, you know you're just doing the equivalent of reading her diary. But when you get a tweet on your mobile phone, it's sort of like she's talking directly to you.

Re:

[kisrael]

"For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?"

It's the one to many thing -- not "many" as in "countless hoards of fans", but many as in "a set of people I know in real life and who I've run into online" -- most people don't generate enough content to make a website worth coming back to on a daily or more basis, but amalgamated with a bunch of other people's thoughts, and now you've got something!

Th

Re:

[Bill, Shooter of Bul]

judging by the media, I'd say you're supposed to use twitter if you're ever in jail/kidnapped in a third world country. Then you'll be set free by a flashmob of justin berbers, only to discover you've just been punk'd.

Re:

[CrazyJim1]

I got my job through Twitter. It is social networking. If you use it right, you meet new people.

Re:

[spectro]

Twitter is great for those of us with no writing talent: no need to post a whole blog about an idea we can explain in 140 characters or less

Re:

[dswensen]

Actually, being able to work within strict limitations -is- a pretty good indicator of talent. It's much easier to bloviate for paragraphs at a time without saying anything.

Again?

[Dragoniz3r]

You'd think people would've learned by now that you can't allow random strings of script in user-submitted data. Why is filtering this stuff out not part of standard input sanitization practices by now?

Re:

[NevarMore]

What if its a tweet about programming in JavaScript?

Re:

[Dragoniz3r]

Then you escape it so it displays, instead of executing... seriously... same way you handle < and > and all the other naughty characters

Re:

[gpuk]

That's what he meant (i hope)

Re:

[martas]

then force people to use escaped sequences. i.e. only display "computer.fuckUp()" at the very last step, in the ui. everywhere else it should be "computer\.fuckUp\(\)". [note: toy example. not actually claiming that '.' and parens should be escaped...]

Re:

[cygnwolf]

So you sanitize it to display characters only instead of a script.

Re:

[Jason Levine]

Easy. If they escaped double-quotes (") to &quote; then this wouldn't happen because the code wouldn't be able to escape the href section of the link.

Re:

[somersault]

But what if they used.. single quotes!!?!?!?!?!?!?!?!?!?!!! *gasp* :0

Re:

[dkf]

But what if they used.. single quotes!!?!?!?!?!?!?!?!?!?!!! *gasp* :0

But what if attackers used single quotes too?

(Sheesh!)

Re:

[somersault]

That's what I meant..

Re:

[Deag]

I think it is half solutions that are the problem. Allowing any sort of tags allows for adding script to various events and the like and even stripping them is quite difficult.
You either need to use a library that is proven to do this or escape all html.

Re:

[somersault]

or the server could just convert < and > to &lt; and &gt; when it received a tweet, wouldn't that work to "escape all HTML"?

Re:

[Deag]

That is one way of doing it, but if you have a requirement for rich text for example it complicates things. And the more control you are handing over to the user the more difficult it is to stop javascript sneaking in somewhere.

Re:

[omnichad]

The server shouldn't really store HTML entities. You don't want to receive that junk in an XML API or to have to convert it for a non-HTML desktop client. You store the original and escape for display.

Re:

[somersault]

Good point, that's actually how I already handle this type of situation in my own apps now that I think about it: escape HTML special chars and convert newlines to break tags on the way out, but leave the original text in the database.

Re:

[iLogiK]

From I could tell, the string looks something like this: http://example.com/#@ [example.com]"onmouseover=">"

my guess is this is come bug related to how they handle hashtags/user profile links

I think they're regularly running a script that takes out the # from the link from old tweets

Re:

[TheSpoom]

Why is filtering this stuff out not part of standard input sanitization practices by now?

It is, I'd just guess that whoever is behind Twitter is not as competent as you might think.

Re:

[Sigma 7]

It's quite possible to store the tweet in 140 characters, while just as easily as escaping sensitive characters on an HTML interface. It's called escaping on demand, and any library that deals with HTML should have that feature already.

Hosts file

[MidnightPsycho]

Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
Although the web interface is still broke. (The interface goes grey, and
any click still tries to go to the t.co web page)

Add this to your Hosts file:

0.0.0.0 t.co

Re:

[bbtom]

That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0

The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ [twitter.com] ) until Twitter fixes the exploit.

Re:

[The MAZZTer]

Using NoScript or Google Chrome's Content Settings to block JavaScript on twitter.com is also an option, maybe. Not sure how well twitter.com works that way but onmouseover handlers won't run and AJAX won't work so this exploit is useless then.

Re:Hosts file

[L4t3r4lu5]

Or don't use Twitter. Seriously.

Except for this thoroughly informative sentence, including the punctuation, nothing of any real import can be expressed in 140 characters...

Re:

[Jedi Alec]

Actually, I'm having a lot of fun distilling what I want to say down to its bare essence in order to fit the 140 char space.

Then again, I mostly use twitter to see my elected officials make fun of each other(and egg 'm on a bit at times).

Re:Hosts file

[Thanshin]

nothing of any real import can be expressed in 140 characters...

"The bag is in locker #437. You'll find your fee and the target's dossier inside."
"The guy I was having fun with is dead in your kitchen and cops are coming. XOXOXO"
"Cut the red wire."
"Salutations earthlings. We come in peace."

Never used Twitter but 140 seems to be a lot. Maybe you're a bit too wordy.

"Dear Mr.Assassin. I've left the money, in $20 bills, inside big a black leather bag. The target data will be inside the bag that you'll find in locker #"

Re:

[tehcyder]

For all those things I think you'd be safer using a throwaway pay as you go mobile phone and texting the message (well, maybe not the aliens).

Re:

[JustOK]

640K much?

Re:

[SimonTheSoundMan]

Spoken to twitter on IRC. It is fixed. Going to take a while to propagate through the servers.

Re:

[SimonTheSoundMan]

http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched [twitter.com]

Re:

[asdfington]

The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ [twitter.com] ) until Twitter fixes the exploit.

or simply retweet and lol.

Re:

[Kristopeit,MichaelDa]

can you prove there isn't exploit potential in the m.twitter.com interface?

Re:

[Anonymous Coward]

But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.

Re:

[MrHanky]

No. Some of the tweets use a different address.

Re:

[MidnightPsycho]

Yeah - just saw one with "a.no" .....

Re:

[The MAZZTer]

That won't do anything. t.co is only used in order to trick twitter into creating an anchor tag, to which the onmouseover handler can be attached. Since you're on twitter.com the only place an AJAX call can be sent to retweet is... twitter.com. example.com can be used instead of t.co and the exploit would still work the same.

Obligatory xkcd

[labcoatless]

http://xkcd.com/327/ [xkcd.com]

Re:

[Kristopeit,MichaelDa]

obligatory you're an idiot...

the issue was with sanitizing database OUTPUT.

little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.

Re:

[ledow]

Whichever way you look at it (input or output) no damn javascript should EVER make it into a tweet. Nobody but Twitter knows if that's because the tweet-input routines didn't filter it effectively, or because the tweet display routines allow you to see the javascript as actual markup instead of sanitised plain-text.

Either way, allowing JS scripts, HTML tags or anything NOT TEXT into a tweet means you didn't attend your first grade computer security courses. This isn't some massively complex hack - somehow

Re:

[somersault]

Completely random aside, but in English even though you use 's to signify possession for nouns, instead of "it's", you actually write it "its".

Happy to help you sanitise your output ;)

Additional details from Netcraft, Sophos

[1sockchuck]

There's more info on the spread of this exploit from Paul Mutton at Netcraft [netcraft.com] and Graham Cluely at Sophos [sophos.com].

Re:

[Spykk]

Confirmed by Netcraft? Better start panicking.

Here let me fix that for you

[hellfire]

...so it is recommended that you refrain from social media altogether.

There, fixed it for you.

Re:

[Andrewkov]

So abstinence is the best way to avoid viruses?

Re:

[socsoc]

Bah, beat me to it.

Also saw

[asdfington]

http://a.no/@ [a.no]"onmouseover=";$('textarea:first.val(this.innerHTML);$.('status-update-form.submit();"class="modal-overlay"/ which puts an overlay on the whole site, causing any mouseover to retweet. Personally I think this is pretty hilarious. If you mouse around a bunch you get something like this: http://i.imgur.com/qTPeK.png [imgur.com] Yes I know you can see my acct. in the bg, I don't care; if it were private, why would I put it on twitter?

Now FIXED

[bbtom]

It is now FIXED.

http://twitter.com/delbius/status/25120366027 [twitter.com]

Re:

[mybecq]

The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.

about 1 hour ago via web
Retweeted by 100+ people

So, they tweeted that they had fixed a bug preventing unintended retweeting, and 100+ people have retweeted it?

pure shame.

[Kristopeit,MichaelDa]

a web application allowing users to output html that can alter layout, or javascript that can be executed is such a giant fail, that twitter should seriously consider firing the highest members of it's management staff responsible for code architecture review.

as is always the case, they'll claim it passed regression testing, so there was nothing they could do... but the simple fact is they failed at creating viable regression tests.

this is kindergarten CS stuff... these are the developers the big name out

Refrain from using the internet

[faulteh]

until they fix twitter.

EVERYONE! Grab a shovel.. dig a hole in the sand and instruct the person next to you to put their head in the hole, now bury their heads in the sand. Everyone do the same! Wait... one person will have to be left behind.

This is a well orchestrated attack by twitter to highlight the need to move to their own in-house url shortener t.co instead of all those other pesky untrustworthy other url shorteners. However, on a funny note it's amazing how people will, nay, must click things, espec

muted into a more sinister attack?

[Attila Dimedici]

I'm confused as to how reducing the intensity of this exploit would make it more sinister. If anybody can give me an idea of how that would work, I would appreciate it.
Now on the other hand if this attack were to mutate I could see it easily becoming something that might be very disruptive for twits (those who use Twitter).

Re:

[nwmann]

perhaps they mean making it less noticed and more destructive. therefore quiet or muted to us all the while racking up the damage.

TLDR

[vlm]

If that was TLDR, heres my summary:

"... it is recommended that you ... refrain from social media altogether ..."

Works for me!

From TFS

[vegiVamp]

"refrain from social media altogether until the problem is resolved"

I've been doing exactly that, and intend on keeping to do that until the problem of Twitter has been resolved.

Re:

[wjousts]

But how will you know what your favorite celebrities are having for lunch?!?

Re:

[vegiVamp]

The hidden webcams I've mounted everywhere in their houses, of course.

mocking illiterate editors is too easy

[sribe]

This could easily be muted into a more sinister attack.

mute |myot|
verb [ trans. ]
1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
  muffle the sound of (a musical instrument), esp. by the use of a mute.
  figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.

mutate |myott|
verb
change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
  Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.

Re:

[HaloZero]

You're entirely right, and that is an oversight on my part. I had originally mis-typed 'mutated' (mutaed?), and instead of spell-checking it to 'mutated', it went to 'muted'. I didn't realize until I saw it on the front page, and said 'Doh!'.

You got the idea, though.

Anyone want to seek it?

[AHuxley]

http://www.spy.appspot.com/ [appspot.com] a "search" site for social media
Might be fun to note who is using in in ~ realtime.

OWASP's Top Ten

[Temujin_12]

Every web developer should religiously study OWASP's Top Ten Most Critical Web Application Security Risks [googlecode.com] and be held accountable to it by their superiors.

Those who work with contractors should especially do this as I've found that contractors tend to have the worst habits when it comes to security.

Use a third party client? But they're broken

[IBBoard]

How can I use a 3rd party client when my favourite ones are broken and the ones that aren't broken a missing vital features for those who aren't on Twitter 24/7 (like Gwibber and its lack of scroll-back)? Curse you, OAuth deadline. Curse you!

Re:

[bbtom]

Yes, there are people who aren't total social media douchebags who use Twitter.

HootSuite uses ow.ly which for quite a long time wrapped links in a stupid 'social toolbar', a sort of crap Twitter version of the DiggBar. Horrible. If I go to someone's Twitter profile and see that they have mostly been posting from HootSuite, I conclude the same thing as when I see they use Outlook for their e-mail.

Re:Easy solution

[Dragoniz3r]

I'm sorry, but 1994 called, and it wants its World Wide Web back. Interactive webpages are the future, they are actually really nice when they're done properly, and denying that is just holding you back. I expect that sooner or later secure programming mentalities will become deeply ingrained in Web programming, and things like this will stop happening. There will always be bugs, but that's no different from any other software.

NoScript is a much better solution than out-and-out disabling javascript anyways.

Re:Easy solution

[Culture20]

1994 called, and it wants its World Wide Web back.

I called, and I want 1994's WWW back. No more "My entire website is in Flash!" No more drive-by downloads. No more web-apps that just write a static page when HTML would have sufficed. <blink>Just "Here's my Dog!" and "Work in Progress" signs.</blink>

Re:

[tehcyder]

*sobs* who ever thought we'd be getting nostalgic for blink tags?