Twitter Hit With Second Worm In a Week

adeelarshad82 writes "Days after a site update unleashed a Twitter cross-site scripting attack, the micro-blogging site was again hit with a bug that spread via questionable links. The offending messages appeared on a user's Twitter feed with 'WTF:' followed by a link. If you clicked on that link, you were taken to a blank page, but behind the scenes, the worm would post vulgar messages on your account that discussed, well, sex involving goats."

where is that goatsex link when you need it?

[ehack]

where is that goatsex link when you need it?

Re:where is that goatsex link when you need it?

[ShaunC]

WTF: Goatse [goatse.fr]

Re:where is that goatsex link when you need it?

[Anonymous Coward]

Now I've seen everything!

A link to goatse is at "+2 Insightful" as I type this.

A historical day at slashdot to be sure

Re:

[AnonymousClown]

That's because goatse is on topic and appropriate in this case. It's also on topic whenever anything to do with Congress comes up.

Geeze!

Re:

[Jedi Alec]

Next up: Twitter worms that discuss Natalie Portman naked and petrified, GNAA trolls and of course the classic penis bird.

Re:

[adavies42]

we already had our on-topic GNAA comments when their affiliates goatse security hacked at&t [slashdot.org].

Goatse Worm?

[WrongSizeGlass]

It's no surprise that you could get worms from having sex, well, with goats.

Re:

[stdarg]

I have never gotten worms from having sex with goats. Maybe vacuosly true maybe not...

I guess this script is baaaad for you.

[Even on Slashdot FOE]

And I'm still not as bad as the Twit-head who lets scripts like that gets Twitted in the first place.

Twit.

Re:I guess this script is baaaad for you.

[Bill, Shooter of Bul]

No. This is a Cross site Request Forgery attack. The Script in this case, was on the linked site, not in the tweet.

For those not in the know:

OWASP Cross Site Request Forgery Prevention sheet Sheet [owasp.org]

Re:

[Yvan256]

What about stopping that stupid cross-domain mess and only allow subdomains to be used? Sure it's going to break a lot of things (including banners...), but it would solve a lot of problems.

Re:I guess this script is baaaad for you.

[nacturation]

This post explains it quite well: http://www.andrewnacin.com/2010/09/26/csrf-twitter/ [andrewnacin.com]

Essentially, just create one or more iframes, with the iframe source set to http://twitter.com/share/update?status=WTF+PAYLOAD [example.com]

As long as you're logged into Twitter via the web, it will auto-post that update without any request for permission from you.

Re:

[thePowerOfGrayskull]

So... um... don't click the link without verifying it with the sender?

This is a basic common sense fail of the variety that keeps anti-virus vendors in business. In fact, I'm sure that right now AV companies are cooking up great Extended Plus products that will Protect you from the Evils of Twitter.

Re:

[miffo.swe]

The fucking point of the internet is klicking on links. Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken. If you have to verify every damn link you could as well just go for chess by physical mail and penpals instead of the internet.

The user uses the internet as intended, the developers, not so much.

Re:

[Plekto]

Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken.

Correct. The two most common operating systems are truly broken at this point and need a full re-write with security as their primary goal. Apple does a bit better, but it's a security joke right of the box. Windows is a mass of Swiss cheese that has a welcome sign up. And you're right, playing whack-a-mole never works. And, no, Linux also is no magic cure, either. It just has too few use

Re:

[thePowerOfGrayskull]

You're aware that there is only ONE way to make this secure OS you speak of, right? THe walled garden. You must only allow access to carefully hand selected applications. You must not allow any interpreted language to execute (including javascript) unless you can vet the code. You must not allow updates to be received from any source but the True Source, after manual review for approval.

Sound familiar? Except even Apple doesn't go far enough - the source code itself must be reviewed for every app in th

Re:

[vadim_t]

No, the walled garden is just as flawed. It fails as soon whoever maintains it lets the wrong thing in.

The real security approach is more like SELinux, where any random application is prevented from the system from accessing more than it's supposed to be able to. So for instance, a secure MP3 player is only capable of playing music, even if exploited via a buffer overflow, because the process itself has no ability to do anything but reading MP3 files and outputting sound.

The problem with with Twitter is tha

Re:

[thePowerOfGrayskull]

I agree re: walled garden (hence my final comment about "no technical solution") for exactly the reason you state.

But SELinux can't do it either - if you think about it, it's just another kind of walled garden. *somebody* has to decide what apps are allowed what permissions.

As far as the twitter issue - it' s more insidious than that. Because a tweet can be posted via a GET URL, anything that causes the browser to redirect to a static URL (even a standard HTTP 302 redirect) can cause this; it's not a

Re:

[Plekto]

SELinux, while flawed, is a massive step in the right direction, though. I'd liken it to at least putting up security cameras and reinforced plexi-glass at the local bank. It won't stop real hardened thieves, but it will deter the random criminal most of the time. As it is, on my Windows box, I have to have the following running:

Registry locker. Massive oversight by MS that I have to ADD back in.
Firewall to lock all unused ports and sharing/connections *by default*. Also a massive oversight that I have

Re:

[vadim_t]

SELinux, while flawed, is a massive step in the right direction, though. I'd liken it to at least putting up security cameras and reinforced plexi-glass at the local bank. It won't stop real hardened thieves, but it will deter the random criminal most of the time. As it is, on my Windows box, I have to have the following running:

Why not? How do you think they'll get around it?

5 programs just to get online. And it's only going to get worse until the OS makers get rightfully paranoid and distrustful.

And that

Re:

[miffo.swe]

While Linux arent a magic cure it has been and continue to be well ahead of Windows. Coupled with SELinux i would dare to say its pretty darn secure. If viruses becomes a problem im 100% sure the solution on Linux wont be antivirus as its a flawed and utterly stupid kind of action that does not address the underlying problem.

My fav security OS right now is Chrome, mostly because it regards the user himself a security risk and dont trow an UAC tantrum pushing any security related issue over onto the users sh

Re:

[thePowerOfGrayskull]

And as I said above... if I see a link that's immediately followed by some spam about leisure activities with barnyard animals, I'm gonna question that link.

Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken

I agree that all of the above are a waste of time - you can't keep up. But you also can't blame the OS because it's no more capable of keeping up (unless it's a true walled garden - which works well for some people.) than OS vendors are. My point - and I don't see how it was missed - was that "security" vendors will jump on this bandwagon claiming tha

Re:

[Anonymous Coward]

So you're saying that every single time a friend posts a link, you phone or email them and ask if you actually posted a link, and want a description of the page linked to?

Wow... you're a douche. If you were my friend, I'd have long since put you into a group that can't see my updates, or just de-friended you altogether.

Re:

[thePowerOfGrayskull]

No, I'm saying that if my friend posts a link and also posts to discuss his carnal relations with barnyard animals, yer damned skippy I'm gonna check with him first.

Wow... you're a douche. If you were my friend, I'd have long since put you into a group that can't see my updates, or just de-friended you altogether.

So you're saying you DO enjoy carnal relations with barnyard animals? Oops, my bad...

Sigh...

[BrokenHalo]

This exploit is no better or worse than any other social engineering attack that would work just as well via email or any other internet channel.

I don't use twitter, facebook or any other social networking site, so my interest is academic. But there is no excuse for people clicking on dodgy links, given the prominent media exposure that such exploits receive. Natural selection at work...

Great - more 4Chan?

[Algorithmnast]

As funny as this could be, I certainly wouldn't want people to see these things coming from me.

Of course, I don't USE twitter.

Any un-protected protocol is a viable route for hacking, and a single vulnerability can allow someone to do whatever they want with your computer. Is it so ridiculous to suggest that software shouldn't just be puked out by anyone that can type?

Re:

[Dancindan84]

You have to use twitter and be the type of person who clicks on questionable links without regard. This worm sounds like watching Darwinism in action in the digital age.

Re:

[AvitarX]

questionable is a friend saying WTF: though.

Trusted source, something someone may regularly do. As far as dubious links go it is quite well formed.

Re:

[thePowerOfGrayskull]

Noo.... questionable is a friend saying WTF, providing a link, then posting another update talking about goat sex ;)

Re:

[fishexe]

This worm sounds like watching Darwinism in action in the digital age.

I wish. If only worms like this knocked people off the internet permanently.

Re:Great - more 4Chan?

[amicusNYCL]

You have to use twitter and be the type of person who clicks on questionable links without regard.

Which of these links is "questionable":

http://tinyurl.com/2tx [tinyurl.com]
http://bit.ly/heezy [bit.ly]
http://xrl.us/bh2p3m [xrl.us]

That's what all of the links on Twitter look like, which are OK and which are questionable? How does one distinguish?

Re:Great - more 4Chan?

[Dancindan84]

All of them. I don't click on shortened URLs. Nor should anyone who isn't a Rick Astley or Goatse fan.

Re:Great - more 4Chan?

[icebraining]

Or you could install this GM script [userscripts.org] which expands them to the real URL without actually loading it.

Re:

[Dancindan84]

So people send a URL to a shortening service and receive a shortened URL they can post/send to me, and I can use a GreaseMonkey script that contacts the service and caches results to decode that shortened URL into the original URL they shortened... I understand we're not in the days of memory being measured in KB or 9600 baud modems, but this is retarded. Most phones aren't even bound by a character limit in SMS anymore. If a URL is stupidly long due to variables being sent, it's not hard to shorten a link

Re:

[Abcd1234]

So people send a URL to a shortening service and receive a shortened URL they can post/send to me, and I can use a GreaseMonkey script that contacts the service and caches results to decode that shortened URL into the original URL they shortened... I understand we're not in the days of memory being measured in KB or 9600 baud modems, but this is retarded.

Umm, no, it's not.

Let's see, Twitter limits the length of the message you can send.

URL shortening services decrease the length of URLs.

Do I need to put two

Re:

[Dancindan84]

Yes, and Twitter limits the length of the message you can send because of a now mostly defunct cell phone limit on SMS messages. Which I mentioned. So apparently I needed to put two and two together for you.

Re:

[amicusNYCL]

The limit for SMS still exists, most phones just automatically wrap it to 2 or more messages for you if you type more than 160 characters. If a single message is longer than that, then it's not SMS (or your phone is smart enough to combine several messages into one, if it wants to wait to see if more than one comes in).

In the end, it doesn't really matter why Twitter limits the length of their messages as long as they do so. It only matters that they do, not why they do.

Re:

[Dancindan84]

• People use shortened URLs. Why? A big reason is twitter's character limit, and because of stupidly long URLs (the latter of which is easy to get around)
• So, twitter has a character limit. Why? Because they designed the system with the same limit as cell phone SMS to make integration with cell phones easier
• So, cell phones have an SMS limit... well not so much anymore. A lot of phones have browsers and just use web services like twitter directly, so the limit isn't a problem with them. And out of those that d

Re:

[amicusNYCL]

URL shortening was around before Twitter. That service started in response to things like instant messaging. People just think shorter URLs are more attractive than larger ones. So the only solution is to shorten all real URLs, and that's not really going to happen. URL shortening services are a bad idea in general, if bit.ly or tinyurl.com shuts down or loses their data then all of these links online are now dead, even though the content is still there. But as long as people think brevity is attractiv

Re:

[PPalmgren]

Because of the rediculous character limit on twitter and texts, and the fact that not all sites are created of equal or sensible URL lengths.

Re:

[icebraining]

I agree with you, and I don't create such URLs, but other people do, hence the GM script.

Personally, I think Twitter should just strip out URLs before sending them through SMS. If the person doesn't have Web access to read the Twitter updates, the URL will probably be useless anyway.

Re:

[amicusNYCL]

Or you could install this GM script [userscripts.org] which expands them to the real URL without actually loading it.

What about all of the Twitter users using IE? How do they know what's safe to click on? Should people be expected to install software to expand shortened URLs?

Re:

[icebraining]

People should be expected to do whatever the hell they want, why should I care? If you don't want to install software don't click on tinyURLs.

And if some people can't figure out how to install an extension, an expanded URL probably won't be more useful than a tiny one.

Re:

[amicusNYCL]

And if some people can't figure out how to install an extension, an expanded URL probably won't be more useful than a tiny one.

That's right. So tiny URLs are not the issue.

Re:

[amicusNYCL]

That's great, but that's not practical for most people. This comes back to the expected level of (internet) education for internet users, and the fact that most internet users are operating at a lower level than a lot of people like you or I think they should be. For most people, when one of their friends sends them a link on Twitter they're going to click it, it doesn't really matter where it goes.

Re:

[TheLink]

You can turn preview mode on for tinyurl, so you can tell that link goes to google.com without having to actually go there.

As for the rest, good luck :).

Re:

[Culture20]

Could you change your bit.ly link in your sig to a tinyurl link please? kthxby

Re:

[TheLink]

OK done... Better now? :)

Re:

[lul_wat]

http://unshorten.com/ [unshorten.com]

That said, I don't even bother clicking shortened links or unshortening them.

Re:

[listentoreason]

Just give in and use Shady URL [shadyurl.com] instead. For example, link to this article: http://5z8.info/5waystokillwithamelon_f9j6f_hitler [5z8.info].

Re:

[amicusNYCL]

OK, that's funny. I still don't like the concept of URL redirectors, but that's funny.

Re:

[amicusNYCL]

The Geocities-izer is brilliant.

Re:

[nacturation]

You have to use twitter and be the type of person who clicks on questionable links without regard. This worm sounds like watching Darwinism in action in the digital age.

Clicking the link is not necessary for this attack to work. All that's needed is visiting a compromised webpage. If a prominent website were hacked, every Twitter user who was logged in and visited that site would have been affected. Twitter's heavy reliance on stupid shortened "surprise links" (and the gullibility of those who click on them) doesn't help things, of course. But this attack would not have succeeded had Twitter followed basic web security practices.

Re:

[neumayr]

Uh, I can see it now, hysterical activists rallying to stop general purpose computers from executing non-certified code. After all, who knows what they could put in there. I heard there was profanity in source code!! Can't somebody, for once, please think of the children?!


What're you're asking for is ridiculous, yes. Please don't go around giving people any ideas of that sort..

Re:

[Algorithmnast]

Ah - proof by insinuation.

Note that in my post I didn't ask for anything.

I only said, "software shouldn't be puked out by just anyone". I didn't say anything about certifying code, or implanting a chip in your goat, or anything else.

But for one, I'm tired of the crap code pumped out by the masses, which then leads to an easy exploit and - unlike this joke - can lead to real problems.

Re:

[neumayr]

Of course you didn't say anything of the sort.
But pray tell, how do you stop people from writing code, or, failing that, how do you stop code from being run?

Re:

[Algorithmnast]

To quote Stroustrup from here [simple-talk.com]

RM:

"Do you think education is the answer to developing better software and that somehow we get out from the 'we must do it first no matter how buggy it is' way of thinking?"

BS:

"Education is part the answer, an essential part, but 'education' itself is not a solution. We need an education for software developers that combine principles from science and engineering with practical skills. Most likely, we will need several specializations, hopefully with a common base. U

Re:

[neumayr]

Okay, so we improve education and have the industry actually value and make use of those advanced skills.
So what's with code from people that don't have any formal education in software engineering?

Re:

[Algorithmnast]

I think that Stroustrup's point was that those skills are the baseline, not an advanced level.

As a nit-pick (for precision, not to really nit-pick), "Software engineering" is more about process than about writing good code. The practical use of SE seems to be "If we use process then the result has to be good! After all, it works in other engineering disciplines!" It's a naive point of view, since "other engineering disciplines" which are "hard sciences" all share a single concept - that their "engineering

Re:

[neumayr]

I do not disagree with your point. OTOH, you shouldn't study CS to become a programmer, that'd be like studying physics to become an engineer or maybe studying engineering to become a carpenter..

My point was another one though - there are a lot of hobbyist coders out there implementing really interesting ideas. Of course their code often does not meet the same criteria you would expect from formally engineered software.
Still, I really like that those programs exist, and that everyone is free to make them

Re:

[Qzukk]

Note that in my post I didn't ask for anything.

Won't someone rid me of this meddlesome slashdot poster?

Re:

[neumayr]

Hehe, good choice. But please be aware that you have no idea of knowing how much of my code you're already running ;P

Re:

[fishexe]

Is it so ridiculous to suggest that software shouldn't just be puked out by anyone that can type?

Yes. It makes you an elitist. Why don't you come down from your ivory tower now and then, huh?

Re:

[John Hasler]

> Yes. It makes you an elitist.

There is, unfortunately, nothing ridiculous about that (it is ironic, though, as most elitists are not elite in any sense).

Re:

[Algorithmnast]

Rather than show you my resume, I'll merely point out that Proof-by-ad-hominem is not a valid method of proof.

Re:

[fishexe]

Rather than show you my resume, I'll merely point out that Proof-by-ad-hominem is not a valid method of proof.

What about proof by parody?

This is why...

[thescreg]

It took me awhile to realize what was going on. This is pretty much what I post about on Twitter anyway.

Sex with goats?

[The Good Reverend]

Um, no, actually. That really was me.

Yeah, yeah, yeah

[microbee]

blame the virus, you perverts!

The early bird...

[Anne_Nonymous]

...gets the worm.

Re:

[_PimpDaddy7_]

OMG, I gotta retweet that!

-Tweet Tweet!

OH

[mattwrock]

I thought it was posting goatse http://en.wikipedia.org/wiki/Goatse [wikipedia.org]

Finally

[rudy_wayne]

the worm would post vulgar messages on your account that discussed, well, sex involving goats

Finally!! Something worthwhile on Twitter.

Re:

[Beelzebud]

The solution is even simpler. See Twitter for what it is, and stop using it!

Re:

[Abcd1234]

See Twitter for what it is, and stop using it!

Broadcast IM.

So why should people stop using it?

The Revolution

[Beelzebud]

Will not be Tweeted.

Re:

[evilbessie]

I don't know telling all Twits* to line up against the wall would make the revolution much easier to start...

*People who use Twitter as Twitterers is unnecessary.

Now I have a use for Twitter

[mujadaddy]

BRB, signing up...