AfterDawn: Tech news

Twitter ravaged by XSS exploit

Written by Andre Yoskowitz (Google+) @ 21 Sep 2010 16:18 User comments (17)

Twitter ravaged by XSS exploit Popular micro-blogging site Twitter was hit pretty hard today by a newly exposed site exploit, with hundreds of thousands of users affected.
The "onMouseOver" incident, as dubbed by Twitter itself, started early in the morning (around 6 am EST) and was all patched by 12 pm EST, with the main problems fixed by 10 am.

Twitter says the security exploit was caused by cross-site scripting (XSS), which is "the practice of placing code from an untrusted website into another one."

In the case of this morning, hackers submitted javascript code as plain text in tweets that was then executed when others clicked it.

Twitter explains further: "Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an “onMouseOver” flaw -- the exploit occurred when someone moused over a link."

The exploit only affected users of the Twitter website, with 3rd-party platforms and the mobile versions of the site being unaffected.

The official White House Twitter page, with 1.81 million followers, was the highest profile page to be affected.

Previous Next  

17 user comments

121.9.2010 16:24

This sounds exactly like what happened on Youtube July 4th BUT MORE STUPID!

222.9.2010 18:33

What a TWAT of an expression, an “onMouseOver” flaw , lets hope it twitters away soon.

323.9.2010 6:37

Why is that a bad expression? That's just a JavaScript event term.

423.9.2010 8:04

Maybe dardndec failed Javascript class or it is just too big a word.

I think I may have been hit with a mouseover on AD a few weeks back. I got a virus and all the sites I had been on were fairly trustworthy AD being one of them. AD admitted their security hole a few days later. In fairness, those other sites would not have been so open. I have been hit with several mouseover attacks on less reliable sites. All have been in the adds. The add servers are less protected. With that adds getting huge so you can't avoid them it presents a real worry to an informed user.

This message has been edited since its posting. Latest edit was made on 23 Sep 2010 @ 8:31

523.9.2010 10:53

Originally posted by Mez:
Maybe dardndec failed Javascript class or it is just too big a word.

I think I may have been hit with a mouseover on AD a few weeks back. I got a virus and all the sites I had been on were fairly trustworthy AD being one of them. AD admitted their security hole a few days later. In fairness, those other sites would not have been so open. I have been hit with several mouseover attacks on less reliable sites. All have been in the adds. The add servers are less protected. With that adds getting huge so you can't avoid them it presents a real worry to an informed user.
MouseOver's are the most common way to get hit and will continue to plague us on any site you visit, but high ad sites are the worst.

623.9.2010 12:29

OK, I get the picture, just read it as the twitters coined the phrase "mouseover", i can see why this is a threat and one that wont go away soon, i have never falling foul of it myself , must be lucky, or well secured.
Forgive my ignorance, so im off to TEACHBOOK to do my lines.

723.9.2010 14:28

Originally posted by Dardandec:
OK, I get the picture, just read it as the twitters coined the phrase "mouseover", i can see why this is a threat and one that wont go away soon, i have never falling foul of it myself , must be lucky, or well secured.
Forgive my ignorance, so im off to TEACHBOOK to do my lines.

Yes, they are a huge threat. Most users are morons and don't realize they have a half dozen bot-nets slaving their computer for god knows what. I got hit with the best free spyware packages and 2 highly rated virus scanners all running. All this new crap doesn't look malicious to scanners because they dupe the OS and scanners into thinking the events are normal user controlled events. The last infection, probably went as follows, mouseover poped a box through my popup blocker. When I closed it it used that action as user consent and loaded something. My computer was acting a bit weird so I disinfected and did find something. I run deep scans at the drop of a hat these days and most scans do not come up with anything.

823.9.2010 16:14

If i see ANYTHING that i didn't request personally on my systems i never click on the X-button, or close button, or any button really.
Just right click on the offending box and scroll down to CLOSE, this way Windows is shutting it down, this seems to be a safe method of dealing with the unwanted item, scan therafter for peace of mind, so far this process has worked for me.

923.9.2010 17:00

Now maybe the popup box was not the problem but I think it was. I Clicked the upper right corner to close. But what if it only looked like a normal pop up box and clicking on what looked like a close button was really a clicked event for something else? That is what I think happened. While you are doing the closing you aren't even thinking about what you are doing. It is not like you carefully inspect every button you click. It was only afterwards did I scroll though the day trying to figure what might have been the problem. Mouseovers on huge adds are a huge threat. I think if I got caught by some like I see on AD were they fill the screen and you need to close them, I would look for a lawyer. By forcing you to click on the add and then not protecting you with bad security they should be libel.

1023.9.2010 17:27

I wish these hackers would get the heck out of their mom's basement and get a job!

1123.9.2010 19:28

Originally posted by mas98110:
I wish these hackers would get the heck out of their mom's basement and get a job!
Acutually, hackers infecting you with bot nets can steal your identity then sell them probably at auction. The Spanish gang had control of hundred of thousands of computers. Just think if they stole $50,000 from only half of them. That is big business. Large portions of the virus and spyware is designed to steal things from you. They are getting very stealthy about infecting and sucking you dry. Identity theft is on the rise and is big business. I used to know a semi-reformed hacker on AD she gave an insite to bot net attacks. Most AD members make bad marks for ID theft. The value of your identity increases the longer you leave the bot net on your computer. Dopes are safe. That is where the gold is you can use their computer for years and they will never let on. Those you can open up accounts and run credit cards up under their identity. You might even pay the bill with another CC so the bank will keep the card active.

1223.9.2010 20:14

Originally posted by Mez:
Originally posted by mas98110:
I wish these hackers would get the heck out of their mom's basement and get a job!
Acutually, hackers infecting you with bot nets can steal your identity then sell them probably at auction. The Spanish gang had control of hundred of thousands of computers. Just think if they stole $50,000 from only half of them. That is big business. Large portions of the virus and spyware is designed to steal things from you. They are getting very stealthy about infecting and sucking you dry. Identity theft is on the rise and is big business. I used to know a semi-reformed hacker on AD she gave an insite to bot net attacks. Most AD members make bad marks for ID theft. The value of your identity increases the longer you leave the bot net on your computer. Dopes are safe. That is where the gold is you can use their computer for years and they will never let on. Those you can open up accounts and run credit cards up under their identity. You might even pay the bill with another CC so the bank will keep the card active.
You are correct! I was understating the problem and forgot about the criminal aspect. Thanks for the reminder, Mike

mas98110

1324.9.2010 15:35

Hey Mez, and all y'others

On those popups, you can also use "View Source" on suspicious ones to make sure the javascript on the buttons isn't using malicious code as well. You're absolutely correct about the dangers of using the close button on popups that circumvent your blockers, the radio button scripting can close the popup all right, which looks fine to almost everyone, but it can also inject other code at the same time.
Dardandec, that's a good way to close them as well, but if I remember correctly, a very INTENT hacker can code the popup to still inject code on closure.
Basically, if a good hacker wants to get his stuff in like this, there really isn't allot most users can do about it without having a full HIPS security and even then you can only catch it after it's been installed. Even the best security can't get everything and never will...the nature of the beast.

1424.9.2010 16:44

Yes Chappy that is pretty much what I have learned the hard way. You are as safe as you are from a sniper attack. If you activate the window to view the source you might infect your self. Again, if you are in their sites, the best you can do is a quick clean up. Quick and thorough clean ups are a red flag for identity thieves.

At least in the US we can 'lock' our credit reports. If a unlucky hacker bumps into one of those he hit a land mine. No one as been blown up by mine. If someone is trying to open an account on a locked credit report with out telling the bank before hand the reporting agency assumes foul play.

Oh yes, and wireless networks are not secure either. The latest and greatest WPA2 has been compromised.

1524.9.2010 20:21

Hey Mez

We haven't chatted in awhile have we...but summers' quickly coming to an end and pretty soon this box will be used more.

Dude, isn't that the way 99.9999etc% of us learn things? I'll never forget when I started doing independent malware testing in 97, when I let loose 3 nasty trojans from my sandboxed test platform onto my main machine (fergot the network cable was still plugged). I told the team I was working with about it and was the butt of jokes for the next year...yah, that was fun alright. Blew 2 OS installs on my machine to bits and lost data I had on other testing, so the team started a "Give it to Chappy...he knows how to test the payload" kinda deal. But I never did it again either.
I still shake my head when people scream about new security holes and rant about them not knowing how to secure their stuff, if only it were that easy eh my friend. As long as code exists, so will exploits for it, they both evolve off of each other and that's advancement in a nutshell. You can write code as secure as possible ATM, but pretty soon someone will knock it over, just a matter of time.

1625.9.2010 12:34

BTW the Best Techie suggestion was a great one! You might not be able to prevent an attack but a quick thorough clean up is the next best thing.

I had to laugh when I saw what they recommended. I was expecting one powerful app. Instead, they suggested an arsenal of apps. I could tell they left nothing inspected. I was technical enough to see where my problem was. Under my admin user which I had never used, was an automated task. I removed that and the app it called. I ran scans frequently after that until I got bored. My complaint had been my malware kept coming back so I was relieved when it didn't but I would never have found the real problem that had not appeared malicious to even the great scanner I was using.

1725.9.2010 14:29

Good! I knew the folks would get you fixed up, I was co-builder of that site and we recruited many of the best anti-malware folks around. Even RubberDucky, the developer of MBAM is one of our senior members, and many of our other advisors are well known techs and malware fighters from all over the spectrum. I retired a couple years ago from all that as I just had too much going on with diabetic crap and couldn't keep up.
The thing you learn quickly is that no 1 or 2 security apps can do the whole cleaning job. There are too many things out there that need specially crafted scans, run in certain order, to find and fix. In the old days, like way back in 00-03 (LOL), many times with some infections we simply had to say...enough..reformat, overwrite 2 times and reinstall. Now we have more powerful ways to save the system & data, with many hoops to jump thru on the way. But once you do it you can get a new understanding of how complicated it really is, and an appreciation of the folks who devote their time to making it happen.
Later bud!

Comments have been disabled for this article.

News archive