Another Day, Another Twitter Exploit
Apologies to anyone out there who’s not a Twitter fan (e.g. our very own Carps springs to mind), but this is another Twitter exploit post. If you do use Twitter you’ll likely already have seen this one in action today, and if you don’t, you won’t be interested. Oh well.
The actual exploit as I first saw it is quite simple. All it’s based on is sending out a tweet starting with http://t.co/@ and continuing with whatever HTML you want to inject into the page. t.co is Twitter’s homegrown URL shortener, and I would guess that something in their escaping logic is trusting it more than it should. Certainly the http://a.bc/@ I tried didn’t work.
Somebody – perhaps not the person who originally discovered the issue – used it to inject a bit of code into their Twitter feed:
<a href=”http://t.co/@”onmouseover=”document.getElementById(‘status’).value=’RT jamslater’;$(‘.status-update-form’).submit();”class=”modal-overlay”/” rel=”nofollow” target=”_blank”>http://t.co/@”onmouseover=”document.getElementById(‘status’).value=’RT jamslater’;$(‘.status-update-form’).submit();”class=”modal-overlay”/</a>
Name changed to protect the guilty.
That’s how it’s spreading so fast and how every other tweet you see at the moment probably mentions it. By hovering over an affected tweet you’ll likely have retweeted it to your followers, perpetuating the cycle. This is fairly similar to the Samy worm that hit MySpace (remember them?) a few years ago.
It Could Be Worse
The code I found and examined above is fairly innocuous, if annoying. However, it isn’t limited to just sending retweets, it can essentially do anything that the Twitter website can. Send DMs, follow or unfollow people, send your login cookie off to somewhere nefarious, etc. It probably can’t change your password (you have to confirm your old one for that, thankfully) but my advice for the moment is definitely to sign out of twitter.com if you’re already on it. If not, leave and don’t come back until this issue is fixed.
External Twitter clients should be fine, unless they happen to suffer from the exact same bug. I’ve not heard of any issues outside of twitter.com.
tl;dr – Stay off the Twitter website for today. You’ve probably got work to do anyway.
Quick update: Twitter have patched it. They are “rolling out an update” at the moment.
Final update: The exploit has been patched. Panic over. Amusingly, an open source repository of Twitter related code, controlled by a Twitter employee, has a fix in it for this exact issue dated August 23rd. Very odd that the same fix wasn’t commited to their website, especially given the public nature of the above code. It seems that they might very well have brought this on themselves.