|  Home   |  Forums   |  News   |  Blog   |  Reviews   |
 Satellite   Digital TV   IPTV   Cable   HDTV   Computers   Apple   Games   Mobile Phones   Broadband   Internet   Security   Telecoms   USB   VoIP   Wireless   Science 

September 21, 2010

Twitter accounts hacked by worm through XSS flaw

Bookmark and Share

by Brian Turner

Twitter accounts were today coming back to normality after a serious worm attack left as many as 100,000 users with malware infected accounts.

The issue happened after a XSS exploit, supposedly patched last month, was found by a Japanese researcher to be still open.

According to Twitter, users experimented with the exploit to achieve different coloured effects using Javascript commands, before a worm was launched into the security hole.

The result was thousands of users sending each other infected tweets, which tried to redirect followers to hardcore pornography websites.

Twitter officials were only able to restore normal functionality to the site four hours after the outbreak was first reported.

According to Twitter security engineer, Bob Lord, “Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user.

“First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an “onMouseOver” flaw — the exploit occurred when someone moused over a link.

“Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge.”

An embarrassment for Twitter

The issue will no doubt be embarrassing for Twitter, not least because this was an indeitified vulnerability that was supposed to have been fixed, but was re-opened by a minor update.

Perhaps more seriously, it demonstrates the ability of malicious users to turn Twitter from one of the world’s largest social media centres, into one massive botnet for malicious attacks.

In this instance, the effect was unwelcome - but if the worm had injected a trojan, virus, or similar malware which could then infect Twitter users - who would then incidentally infect their followers, the result could have been the world’s largest ever malware attack.

It remains to be seen how seriously security issues return to Twitter, but if there’s one thing very clear from this incidence, it’s the danger of one of the world’s most popular websites being exploited to infect its users.

While Twitter are at pains to point out the mobile version and apps were unaffected, with 100 million users, it’s time for Twitter to take security more seriously.

Story link: Twitter accounts hacked by worm through XSS flaw

Discuss this in the Techwatch Forums

Related news to "Twitter accounts hacked by worm through XSS flaw"

Special offers on iPads

No Comments »

No comments yet.

Leave a comment

Connect with Facebook

Previous: «
Next: »

Visited 993 times, 4 so far today