Yesterday I posted an article about a serious vulnerability I found in Twitter. As it was a bit on the geeky side, it may well have gone over a few people’s heads, so I thought I’d try to explain it in a bit more detail. Incidentally I don’t think Twitter really got it either, as we’ll see in a moment.
Twitter Exploit Video
Why should I care?
With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets – and they are logged in to Twitter – their account could be taken over.
Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure.
All of that, just from seeing one of these tweets.
If I tweet something, all of my followers will see it instantly. Do you trust everyone you’re following?
I could mention a few of the trending topics of the moment, and there’s a good chance that someone will see one of my tweets that way.
Maybe I could just drop your name into my tweet and see if you look at it to see why I’ve mentioned your name?
What should I do?
There are a couple of steps you can take to try to stop you being affected.
- If you’re not logged in to Twitter, there’s no opportunity to steal your details or impersonate you, however malicious code could still send you to other websites or otherwise annoy you, so it doesn’t completely fix the problem.
- Unfollow anyone you don’t know or don’t trust that could be exploiting this. Who’s to say they’re not already stealing your details? If you don’t see their tweets they can’t harm you.
- If you use something other than the Twitter website to view your tweets, perhaps one of the applications mentioned below, you should be fairly safe, though without looking at each one individually it’s hard to be sure. Still, you’re likely to be pretty safe this way.
How does it work?
If you’ve used Twitter you may have noticed that whenever you ‘tweet’, along with the time it also includes the name of the Twitter application you used to send the update. Many people just use the Twitter website, others use dedicated applications – like TweetDeck, TwitterFox or HootSuite as seen below in one of Dave’s tweets.
Where that link goes is up to the developer of the application. If they change it, it affects all of the tweets ever sent with that application. Fair enough. This can be quite simply changed by filling out a form on the Twitter website, and takes effect instantly.
(Semi-)Technical Details
Twitter made one of the most basic mistakes in developing web applications – never blindly trust data that is provided from the outside world! Their form did no – or some very, very basic – checking on what you enter in the box. I pointed this out in the article yesterday and they have since attempted to fix it. However, Twitter have completely missed the point.
- Whatever I type in that box will appear on the end of my tweets.
- I can type in some raw HTML code into that box, and it will get included on the end of my tweet.
- Anyone who sees that tweet will then be viewing that code.
- That code can be JavaScript <script> tags
The code between those <script> tags can do anything the Twitter website can do. Send you off to another page, change your account details, send tweets, add or delete followers, etc.
I say Twitter have missed the point because they apparently “fixed” the problem last night.
Their idea of fixing it is to stop you putting spaces in the address box. Spaces. Other than that, everything else is fair game.
As an example, see @apifail2. It pops up a (harmless) box on your screen using JavaScript – but if it can do that, it can do a lot worse!
I think I’m going to stay off Twitter for a couple of days!
P.S. This isn’t the first time we’ve found vulnerabilities in Twitter… I wonder how many more there are out there? We got no response from them yesterday either, which is a shame. We don’t want to stop using their service because we’re worried about security, and I’m sure we’re not the only ones.
James
Update 28/08: This has probably been fixed, but without any official communication from Twitter it is hard to say for sure. The accounts I was using have been suspended and the exploit no longer appears to work as described. Whether it might still be working in a slightly altered form or on other accounts created before the fix I do not know.
84 Comments
-
- 2
It seems that they are more afraid of dofollow links than security issues….
- 3
ha ha ah, Dave, once again you prove why you are one of my Heroes…
- 4
Bad vulnerability, epic find though.
- 5
Good stuff. And amusing pop-up. =)
I’m no developer so I don’t have a clue about how ‘bad’ this is, but it’s concerning that they’re not giving this the priority it deserves from a user’s point of view. After they’ve been warned and shown a demonstration. Twice. Wonder how long until they will ban this account.
Out of curiousity: is it against the law or Twitter TOS to build an app that would actively spread the word in a non harmful way while proving the point?
- 6
Man, this is terrible news! I think I might stay off Twitter for a while.
Might be sensible to start a twitter badge campaign to increase awareness?
Anyone up for it?
- 7
Well this is a bit of a bollocks up isn’t it. @just Guido as far as i can tell it is against their terms of service, but once the damage is done, its a bit late to wander off quoting legal babble and even if the malicious accounts are banned or stopped, they just open a new one straight away in a few seconds, not good.
Nice find Dave all in all, but it worries me more what you haven’t come across, if that’s the soft version then what happens when bank details and identity theft kicks off. I would expect twitter to address this asap, publicly and in depth and start beefing up security and code immediately before something BAD happens.
- 8
Get the Badge set up Allan, i’ll join in!
- 9
How they haven’t got their arses in gear and fixed this yet I do not know!
- 10
Nice find Dave, more headaches for the Twitter tech bods I guess! Seems like a bit of a schoolboy error to me – I would have thought that all forms on such a high profile website would have draconian levels of input checking!
- 11
This is a rookie mistake made by guys who should know better! this is just asking for exploitation!
Good write up and examples – thanks for the heads up, il make sure I Tweet this article.
- 12
[...] today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog [...]
- 13
I am proposing this image to add to your twitter profiles. I just purchased from IStock so should be fine to use…
http://www.fireflyseo.com/images/twitter-security.jpg
Dave hope you don’t mind the link, feel free to host on your site if you want to remove it.
- 14
Question: Would you guys consider this a hack?
- 15
[...] today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog [...]
- 16
@rishil we where careful not to pull any 3rd party JS but you could easily turn it into the biggest Malware distribution platform
Dave
- 17
Awww poor James Slater hasn’t gotten any credit for this (in blog comments or external articles), but Dave has:
http://www.techcrunch.com/2009/08/26/massive-twitter-security-problem-not-resolved-just-yet/
Just to clarify: this is James’s find right?
- 18
[...] o especialista em seu blog, a falha de segurança está no campo da API que permite que programadores insiram a URL do [...]
- 19
Rishi / Everyone…
It is a client side hack so its unlikelly Twitter web servers are compromised. The likelly hood is this exploit has been in the wrong hands for a while and that there are a number of twittter accounts out there which are used to gather in user password information. As everyone knows, MOST non tech users use the same password on most websites, many of which, such as Amazon hold credit card details. In my view this security exploit has the potential to be extremelly damaging. The trouble is the damage may have already be done. I am not trying to be a doom monger but either way Twitter should responde to this as a top priority ticket item. As Justin Parks states if this is indicative of the general approach to security at Twitter then I would advise people to stop using it imediatly.
If you do feel brave enough to use Twitter at the moment and want to help raise awareness of this issue I have posted a tweet on adding a wee image to your profile picture.
- 20
if there is an exploit Dave is bound to find it
- 21
Thanks Neil, you are correct. Oh well!
- 22
Dave,
Thanks a lot for making us aware of this very nasty but simple to fix problem. I am a little disappointed that twitter hasn’t managed to fix this yet. I mean xss is one of the FIRST things you test for, or perhaps thats just me.
- 23
Awesome find! And amazing how they still haven’t fixed it. I have one word for Twitter – AntiXSS!
- 24
That is crazy scary. Kudos to you for discovering it, you made the front page of Mashable today. It’s amazing that the folks at Twitter aren’t taking this *much* more seriously.
- 25
[...] today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog [...]
- 26
Amazing that their fix was “spaces”. I’m not a programmer by any means, but still that just doesn’t sound right. I totally agree: stop following people who you don’t know and trust. There’s most likely all sorts of other security issues with Twitter that we just don’t know about yet.
- 27
I think as Twitter grows larger and larger we will see more of these types of efforts. Hopefully Twitter will beef up their internet security a bit more.
- 28
It’s XSS.. I mean… Get over yourself.
- 29
Another way to mitigate this as a user (if using the Twitter web client) is to install the NoScript add-on for Firefox. NoScript can prevent XSS in “most” cases.
- 30
[...] such panic? Because, if you ever see a pop-up similar to that above, it may not be as innocuous as the one created by the guys over at Dave Naylor’s blog. In fact, someone with half an ounce of tech savvy [...]
- 31
While this seems to be the dream of every Twitter-spammer, I wonder why I haven’t seen this in action, yet.
- 32
Excellent article Dave. Given the vulnerability of Twitter it is surprising that it has not been attacked this way. It’s also shocking that Twitter does not have more comprehensive filter for all messages sent through it. (I’m not much of a programmer and even I know better.)
- 33
Wow David you are a genius for finding this. This is why you are an SEO god!
ps just playing around, James is my new hero.
- 34
Looks like it’s been fixed, recently tweets containing code characters get converted to their HTML code equivalent
- 35
Your twitter account just got suspended.
- 36
Sweet, Twitter has gone ahead banning the @apifail account but not fixing their security loophole! Just great!
- 37
I see that Twitter have suspended the apifail2 account – interesting to see what they do over the next couple of hours re the problem
- 38
[...] to be stolen and even allow for the installation of malware. Twitter claims to have closed it, but Naylor says in an update today that a vulnerability still exists. Naylor explains why users should care:With a few minutes work, someone with a bit of technical [...]
- 40
Firstly, feel a bit sorry for you James. I suppose that’s part of the double edged sword that comes with blogging on a domain that became famous for one person’s contributions! Still a few of us spotted that it was you and not Dave that picked up on this, so kudos!
Secondly, who else instantly thought of using a twitter name in a decent search vertical, building up it’s rank and then chucking in a redirect using this vuln?
- 41
[...] According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets from when you’re logged into Twitter, can run some code inside your browser and take over your account, which can lead to malware spreading, impersonation, or whatever you can imagine. [...]
- 42
LOL @andy James works here as well he is on the pay roll..
Dave
- 43
Ahh, my uni took that stance: You are being educated by us and therefore anything you do, write or create whilst under our instruction is ours
I gathered he was part of the team at Bronco, but he should still get credit where credit is due!
- 44
Your comment…
- 45
Hehe – this is moving fast… the Guardian are on it. Still no official word from Twitter…
- 46
Double kudos… earning your boss 3 followed links from a major UK newspaper website
- 47
Fuck my hat Twitters technical people realy are fracking useless when oneof them went whining about “how the internet wasnt (built 25 years ago) wasnt suitable for them.
I even got a link from valywag and a comment from Vint Cerf on my blog (well ime 85% certain it was him)
- 48
Who did you try contacting at Twitter? If you send an email to security@twitter.com you should get a response within the day.
- 49
has there been any new developments on this security issue yet? I am surprised that they would not put a real quick stop to it. REALLY appriciate the heads up on this one. glad That I am following such alert people. Thanks again!
- 50
[...] According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets from when you’re logged into Twitter, can run some code inside your browser and take over your account, which can lead to malware spreading, impersonation, or whatever you can imagine. [...]
- 51
[...] to David Naylor, who found the exploit, the security issue still hasn’t been fixed, meaning that it still presents a danger to all Twitter users. Today, David has provided more [...]
- 52
[...] According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets from when you’re logged into Twitter, can run some code inside your browser and take over your account, which can lead to malware spreading, impersonation, or whatever you can imagine. [...]
- 53
[...] The skinny of it is if you tweet through Twitter.com, you may be putting your account in jeopardy. According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets [...]
- 54
[...] The skinny of it is if you tweet through Twitter.com, you may be putting your account in jeopardy. According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets [...]
- 55
[...] such panic? Because, if you ever see a pop-up similar to that above, it may not be as innocuous as the one created by the guys over at Dave Naylor’s blog. In fact, someone with half an ounce of tech savvy [...]
- 56
@Allan Stewart – Just at a cursory glance I see no reason why this would expose the user’s password. The exploit is to steal their Twitter login cookie. There should be no password information there. If there is, well, then the problem is much worse than indicated here.
- 57
Setting up a user style-sheet (eg. with the Stylish Firefox extension) and adding the following:
span.entry-meta span a script { display:block; color:#fff; background:#f00; }
will let you quickly see if anyone of the tweets you’re viewing on the Twitter website contain scripts inside the link to the posting application’s website.
- 58
LOL, that just shows how good of a framework ROR is. (jk)
- 59
all i can say, is ouch! for such a widely used service you would think they could find a correction for this exploit. same goes for myspace. seems to be several vulnerabilities there as well, concerning javascript injections. hate to stop using these services due to lack of security
hope they find a fix soon!
- 60
Naww, It banned the account.
- 61
Indeed, they do seemed to be far more concerned over dofollow links than security. Which by the way I still think its ridiculous that tweet links are not followable….
I never really liked twitter anyway……………..
- 62
Its nice of you to share your IP address with the readers of this post + all of youtube. =D
Just saying… in the bottom right hand corner of your browser is your IP and that you are not on a proxy. Is this the onion router? Good post though. - 63
HI Jack, The IP address the IP of Twitter thats all:)
- 64
Excellent find, it’s a shame that Twitter themselves don’t seem to be doing much about it… Security risks like this will turn many people off using Twitter. Fixing this should be their top priority.
Thanks for highlighting this problem, without people like you this sort of thing would probably go unnoticed for ages!
- 65
Excellent find! Twitter really needs to start patching it’s bugs fast. It seems so easy to execute that people with very little experience can actually start exploiting this. Worse off, it makes Twitter spam even more easier than ever before!
- 66
Seems that they suspended apifail2 now too. I wonder if they fixed the bug too?
- 67
i use twitter too but not really know much about this.. nice info bro..
- 68
What other web app with that degree of popularity is (1) down as often as it is (2) puts wacky restrictions on things like # of searches (3) has gaping security holes? Hard to think of anything as widely used (perhaps IE?) that is as poorly thought out from a technical perspective.
- 69
Err – obviously I know that IE is a browser (not a web app). But the only real example I can think of where the popularity / quality is as disproportionate.
- 70
Your test account’s been suspended…
Is this issue fixed yet? I can’t find anything saying it’s been fixed, and the Twitter blog/status sites have absolutely nothing about this, which is downright sketchy to me. I mean, at least acknowledge that there’s a problem!
- 71
I think they should’ve known better.
Blogs are stripping out all sorts of code out of posts to stop malicious things from happening.
Has nobody learned anything by now?
- 72
Great stuff …
An article about James Slaters discoveries was just posted in one of the big danish newspapers.
- 73
[...] News, WebProNews, Zdnet News, google news, social media, twitter Update: There is now a video up on Dave Naylor’s blog about the Twitter exploit, which I have embedded below. Meanwhile, Twitter has yet to respond to [...]
- 74
[...] is now a video up on Dave Naylor’s blog about the Twitter exploit, which I have embedded below. Meanwhile, Twitter has yet to respond to [...]
- 75
Pretty pompous of you to expect twitter to immediately answer your every request/question/comment. It’s great that you found the flaw and let them know about it but at the same time you expect them to let you know everything they are doing AS THEY DO IT. Not a few days later after they have a chance to test everything
- 76
Thanks 4 article
- 77
Bad news for everyone who feels the need to tell the world they just brushed their teeth!
- 78
“Unfollow people you don’t know”
Wow that could take awhile. Everyday I get several new followers that I have no clue as to who they are.
- 79
I can’t help but wonder how you even discovered this exploit in the first place…
- 80
@noah if it ain’t broken stress test it… ps tor ain’t all they are cracked up to be
exit nodes leakage and all that …Dave
- 81
has there been any official word yet if this problem has been fixed .. or do we all just presume its ok agian now?
- 82
[...] highly recommend your read David Naylor’s post on Twitter Exploits (Thanks to @Nik_G for sending me this link). It may help prevent you from being [...]
- 83
Is that problem still exist on tweeter?Sometimes im using my cellphone to blog but sometimes my tweets dont appear on my twitter page.
- 84
Never thought such a top service like Twitter can be exploited this easy and makes some really primary school mistakes. Good catch!
Hope twitter gets serious about this and do all necessary fixes to give it’s user a secure way to socialize.
Very worrying indeed!!
Think i’ll stick to twitterfox for a few days!
I can’t believe that their “FIX” was to just disable spaces!!
I think they need introducing to the strip_tags function?