Twitter Exploit Still Works
Yesterday I posted an article about a serious vulnerability I found in Twitter. As it was a bit on the geeky side, it may well have gone over a few people’s heads, so I thought I’d try to explain it in a bit more detail. Incidentally I don’t think Twitter really got it either, as we’ll see in a moment.
Twitter Exploit Video
Why should I care?
With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets – and they are logged in to Twitter – their account could be taken over.
Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do. Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure.
All of that, just from seeing one of these tweets.
If I tweet something, all of my followers will see it instantly. Do you trust everyone you’re following?
I could mention a few of the trending topics of the moment, and there’s a good chance that someone will see one of my tweets that way.
Maybe I could just drop your name into my tweet and see if you look at it to see why I’ve mentioned your name?
What should I do?
There are a couple of steps you can take to try to stop you being affected.
- If you’re not logged in to Twitter, there’s no opportunity to steal your details or impersonate you, however malicious code could still send you to other websites or otherwise annoy you, so it doesn’t completely fix the problem.
- Unfollow anyone you don’t know or don’t trust that could be exploiting this. Who’s to say they’re not already stealing your details? If you don’t see their tweets they can’t harm you.
- If you use something other than the Twitter website to view your tweets, perhaps one of the applications mentioned below, you should be fairly safe, though without looking at each one individually it’s hard to be sure. Still, you’re likely to be pretty safe this way.
How does it work?
If you’ve used Twitter you may have noticed that whenever you ‘tweet’, along with the time it also includes the name of the Twitter application you used to send the update. Many people just use the Twitter website, others use dedicated applications – like TweetDeck, TwitterFox or HootSuite as seen below in one of Dave’s tweets.
Where that link goes is up to the developer of the application. If they change it, it affects all of the tweets ever sent with that application. Fair enough. This can be quite simply changed by filling out a form on the Twitter website, and takes effect instantly.
(Semi-)Technical Details
Twitter made one of the most basic mistakes in developing web applications – never blindly trust data that is provided from the outside world! Their form did no – or some very, very basic – checking on what you enter in the box. I pointed this out in the article yesterday and they have since attempted to fix it. However, Twitter have completely missed the point.
- Whatever I type in that box will appear on the end of my tweets.
- I can type in some raw HTML code into that box, and it will get included on the end of my tweet.
- Anyone who sees that tweet will then be viewing that code.
- That code can be JavaScript <script> tags
The code between those <script> tags can do anything the Twitter website can do. Send you off to another page, change your account details, send tweets, add or delete followers, etc.
I say Twitter have missed the point because they apparently “fixed” the problem last night.
Their idea of fixing it is to stop you putting spaces in the address box. Spaces. Other than that, everything else is fair game.
As an example, see @apifail2. It pops up a (harmless) box on your screen using JavaScript – but if it can do that, it can do a lot worse!
I think I’m going to stay off Twitter for a couple of days!
P.S. This isn’t the first time we’ve found vulnerabilities in Twitter… I wonder how many more there are out there? We got no response from them yesterday either, which is a shame. We don’t want to stop using their service because we’re worried about security, and I’m sure we’re not the only ones.
James
Update 28/08: This has probably been fixed, but without any official communication from Twitter it is hard to say for sure. The accounts I was using have been suspended and the exploit no longer appears to work as described. Whether it might still be working in a slightly altered form or on other accounts created before the fix I do not know.
Dave 1361 days ago
http://www.djb31st.co.ukVery worrying indeed!!
Think i’ll stick to twitterfox for a few days!
I can’t believe that their “FIX” was to just disable spaces!!
I think they need introducing to the strip_tags function?
Tiger 1361 days ago
http://www.seoblackout.comIt seems that they are more afraid of dofollow links than security issues….
rishil 1361 days ago
http://designer-watches.orgha ha ah, Dave, once again you prove why you are one of my Heroes…
Shane 1361 days ago
http://www.shanedj.comBad vulnerability, epic find though.
just Guido 1361 days ago
Good stuff. And amusing pop-up. =)
I’m no developer so I don’t have a clue about how ‘bad’ this is, but it’s concerning that they’re not giving this the priority it deserves from a user’s point of view. After they’ve been warned and shown a demonstration. Twice. Wonder how long until they will ban this account.
Out of curiousity: is it against the law or Twitter TOS to build an app that would actively spread the word in a non harmful way while proving the point?
Allan Stewart 1361 days ago
http://www.fireflyseo.comMan, this is terrible news! I think I might stay off Twitter for a while.
Might be sensible to start a twitter badge campaign to increase awareness?
Anyone up for it?
Justin Parks 1361 days ago
http://www.justinparks.comWell this is a bit of a bollocks up isn’t it. @just Guido as far as i can tell it is against their terms of service, but once the damage is done, its a bit late to wander off quoting legal babble and even if the malicious accounts are banned or stopped, they just open a new one straight away in a few seconds, not good.
Nice find Dave all in all, but it worries me more what you haven’t come across, if that’s the soft version then what happens when bank details and identity theft kicks off. I would expect twitter to address this asap, publicly and in depth and start beefing up security and code immediately before something BAD happens.
Shane 1361 days ago
http://www.shanedj.comGet the Badge set up Allan, i’ll join in!
Gareth Trufitt 1361 days ago
http://trufitt.comHow they haven’t got their arses in gear and fixed this yet I do not know!
David Fairhurst 1361 days ago
http://www.intelligentretail.co.ukNice find Dave, more headaches for the Twitter tech bods I guess! Seems like a bit of a schoolboy error to me – I would have thought that all forms on such a high profile website would have draconian levels of input checking!
Duncan 1361 days ago
http://www.duckonwater.co.ukThis is a rookie mistake made by guys who should know better! this is just asking for exploitation!
Good write up and examples – thanks for the heads up, il make sure I Tweet this article.
Massive Twitter Security Problem Not Resolved Just Yet 1361 days ago
[...] today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog [...]
Allan Stewart 1361 days ago
http://www.fireflyseo.comI am proposing this image to add to your twitter profiles. I just purchased from IStock so should be fine to use…
http://www.fireflyseo.com/images/twitter-security.jpg
Dave hope you don’t mind the link, feel free to host on your site if you want to remove it.
rishil 1361 days ago
http://designer-watches.orgQuestion: Would you guys consider this a hack?
Massive Twitter Security Problem Not Resolved Just Yet | Posts MarketPlace 1361 days ago
[...] today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog [...]
DaveN 1361 days ago
@rishil we where careful not to pull any 3rd party JS but you could easily turn it into the biggest Malware distribution platform
Dave
Neil Yeomans 1361 days ago
http://twitter.com/neil_yeomansAwww poor James Slater hasn’t gotten any credit for this (in blog comments or external articles), but Dave has:
http://www.techcrunch.com/2009/08/26/massive-twitter-security-problem-not-resolved-just-yet/
Just to clarify: this is James’s find right?
Falha de segurança crítica no Twitter permanece no ar mesmo depois de (supostamente) consertada | Web 1361 days ago
[...] o especialista em seu blog, a falha de segurança está no campo da API que permite que programadores insiram a URL do [...]
Allan Stewart 1361 days ago
http://www.fireflyseo.comRishi / Everyone…
It is a client side hack so its unlikelly Twitter web servers are compromised. The likelly hood is this exploit has been in the wrong hands for a while and that there are a number of twittter accounts out there which are used to gather in user password information. As everyone knows, MOST non tech users use the same password on most websites, many of which, such as Amazon hold credit card details. In my view this security exploit has the potential to be extremelly damaging. The trouble is the damage may have already be done. I am not trying to be a doom monger but either way Twitter should responde to this as a top priority ticket item. As Justin Parks states if this is indicative of the general approach to security at Twitter then I would advise people to stop using it imediatly.
If you do feel brave enough to use Twitter at the moment and want to help raise awareness of this issue I have posted a tweet on adding a wee image to your profile picture.
http://twitter.com/fireflyseo/status/3554729419
dan 1361 days ago
if there is an exploit Dave is bound to find it
james 1361 days ago
Thanks Neil, you are correct. Oh well!
Gary Gilbert 1361 days ago
http://www.garyrgilbert.com/blogDave,
Thanks a lot for making us aware of this very nasty but simple to fix problem. I am a little disappointed that twitter hasn’t managed to fix this yet. I mean xss is one of the FIRST things you test for, or perhaps thats just me.
Dhruv Sood 1361 days ago
http://www.psoodocode.comAwesome find! And amazing how they still haven’t fixed it. I have one word for Twitter – AntiXSS!
Marty Martin 1361 days ago
http://www.twitter.com/mosquitohawkThat is crazy scary. Kudos to you for discovering it, you made the front page of Mashable today. It’s amazing that the folks at Twitter aren’t taking this *much* more seriously.
Massive Twitter Security Problem Not Resolved Just Yet | Tech Daily 1361 days ago
[...] today followed up on yesterday’s blog post with another one correctly claiming that the exploit still very much works. He proved as much by creating another dummy account on Twitter, which pops up a (harmless) dialog [...]
Bill 1361 days ago
http://www.billhartzer.com/Amazing that their fix was “spaces”. I’m not a programmer by any means, but still that just doesn’t sound right. I totally agree: stop following people who you don’t know and trust. There’s most likely all sorts of other security issues with Twitter that we just don’t know about yet.
Nick Stamoulis 1361 days ago
http://www.brickmarketing.comI think as Twitter grows larger and larger we will see more of these types of efforts. Hopefully Twitter will beef up their internet security a bit more.
Someone 1361 days ago
It’s XSS.. I mean… Get over yourself.
Tom 1361 days ago
http://socialmediasecurity.comAnother way to mitigate this as a user (if using the Twitter web client) is to install the NoScript add-on for Firefox. NoScript can prevent XSS in “most” cases.
Warning: Evil Twitter Pop-up Could Hack Your Account 1361 days ago
[...] such panic? Because, if you ever see a pop-up similar to that above, it may not be as innocuous as the one created by the guys over at Dave Naylor’s blog. In fact, someone with half an ounce of tech savvy [...]
Tobias Svensson 1361 days ago
http://return42.blogspot.com/While this seems to be the dream of every Twitter-spammer, I wonder why I haven’t seen this in action, yet.
Victor Lonmo 1361 days ago
http://www.googlerank.caExcellent article Dave. Given the vulnerability of Twitter it is surprising that it has not been attacked this way. It’s also shocking that Twitter does not have more comprehensive filter for all messages sent through it. (I’m not much of a programmer and even I know better.)
Andre 1361 days ago
Wow David you are a genius for finding this. This is why you are an SEO god!
ps just playing around, James is my new hero.
Scott Bowler 1361 days ago
http://blog.quba.co.ukLooks like it’s been fixed, recently tweets containing code characters get converted to their HTML code equivalent
Bob 1361 days ago
Your twitter account just got suspended.
Vinay 1361 days ago
http://twitter.com/iVinaySweet, Twitter has gone ahead banning the @apifail account but not fixing their security loophole! Just great!
carla 1361 days ago
I see that Twitter have suspended the apifail2 account – interesting to see what they do over the next couple of hours re the problem
Twitter struggles to plug security hole | Twimmer.com :: Twitter News 1361 days ago
[...] to be stolen and even allow for the installation of malware. Twitter claims to have closed it, but Naylor says in an update today that a vulnerability still exists. Naylor explains why users should care:With a few minutes work, someone with a bit of technical [...]
Matt Katz (mattkatz) 's status on Wednesday, 26-Aug-09 15:00:03 UTC - Identi.ca 1361 days ago
[...] http://www.davidnaylor.co.uk/twitter-exploit-still-works.html [...]
Andy 1361 days ago
Firstly, feel a bit sorry for you James. I suppose that’s part of the double edged sword that comes with blogging on a domain that became famous for one person’s contributions! Still a few of us spotted that it was you and not Dave that picked up on this, so kudos!
Secondly, who else instantly thought of using a twitter name in a decent search vertical, building up it’s rank and then chucking in a redirect using this vuln?
Your Twitter Account is in Jeopardy 1361 days ago
[...] According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets from when you’re logged into Twitter, can run some code inside your browser and take over your account, which can lead to malware spreading, impersonation, or whatever you can imagine. [...]
DaveN 1361 days ago
LOL @andy James works here as well he is on the pay roll..
Dave
Andy 1361 days ago
Ahh, my uni took that stance: You are being educated by us and therefore anything you do, write or create whilst under our instruction is ours
I gathered he was part of the team at Bronco, but he should still get credit where credit is due!
DaveN 1361 days ago
Your comment…
paul carpenter 1361 days ago
http://www.itsafamilything.co.ukHehe – this is moving fast… the Guardian are on it. Still no official word from Twitter…
Andy 1361 days ago
Double kudos… earning your boss 3 followed links from a major UK newspaper website
maurice 1361 days ago
http://hauntingthunder.wordpress.com/Fuck my hat Twitters technical people realy are fracking useless when oneof them went whining about “how the internet wasnt (built 25 years ago) wasnt suitable for them.
I even got a link from valywag and a comment from Vint Cerf on my blog (well ime 85% certain it was him)
John T. 1361 days ago
Who did you try contacting at Twitter? If you send an email to security@twitter.com you should get a response within the day.
Nick 1361 days ago
http://anderenterprises.comhas there been any new developments on this security issue yet? I am surprised that they would not put a real quick stop to it. REALLY appriciate the heads up on this one. glad That I am following such alert people. Thanks again!
Your Twitter Account is in Jeopardy | The Free Site Hosting | Reviews & Top Hosts 1361 days ago
[...] According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets from when you’re logged into Twitter, can run some code inside your browser and take over your account, which can lead to malware spreading, impersonation, or whatever you can imagine. [...]
Twitter Security Exploit Still Hasn’t Been Fixed 1361 days ago
[...] to David Naylor, who found the exploit, the security issue still hasn’t been fixed, meaning that it still presents a danger to all Twitter users. Today, David has provided more [...]
Your Twitter Account is in Jeopardy - Google Live Search 1361 days ago
[...] According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets from when you’re logged into Twitter, can run some code inside your browser and take over your account, which can lead to malware spreading, impersonation, or whatever you can imagine. [...]
Your Twitter Account is in Jeopardy | Google MSN Search 1361 days ago
[...] The skinny of it is if you tweet through Twitter.com, you may be putting your account in jeopardy. According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets [...]
Your Twitter Account is in Jeopardy | Msn Yahoo Google 1361 days ago
[...] The skinny of it is if you tweet through Twitter.com, you may be putting your account in jeopardy. According to Slater (and the issue has been acknowledge by Twitter, just not fixed), anyone who simply sees your tweets [...]
Twitter Has Evil Pop-Up That Could Hack Your Account - News: Everything-e 1361 days ago
[...] such panic? Because, if you ever see a pop-up similar to that above, it may not be as innocuous as the one created by the guys over at Dave Naylor’s blog. In fact, someone with half an ounce of tech savvy [...]
Gabe da Silveira 1361 days ago
http://darwinweb.net/@Allan Stewart – Just at a cursory glance I see no reason why this would expose the user’s password. The exploit is to steal their Twitter login cookie. There should be no password information there. If there is, well, then the problem is much worse than indicated here.
Stuart 1361 days ago
http://www.designmeme.com/Setting up a user style-sheet (eg. with the Stylish Firefox extension) and adding the following:
span.entry-meta span a script { display:block; color:#fff; background:#f00; }
will let you quickly see if anyone of the tweets you’re viewing on the Twitter website contain scripts inside the link to the posting application’s website.
Miguel 1361 days ago
LOL, that just shows how good of a framework ROR is. (jk)
Jonthan Lulich 1361 days ago
http://60MinutesFame.comall i can say, is ouch! for such a widely used service you would think they could find a correction for this exploit. same goes for myspace. seems to be several vulnerabilities there as well, concerning javascript injections. hate to stop using these services due to lack of security
hope they find a fix soon!
Cooksey 1361 days ago
Naww, It banned the account.
Freelance Seo 1361 days ago
http://www.seomysite.co.uk/Indeed, they do seemed to be far more concerned over dofollow links than security. Which by the way I still think its ridiculous that tweet links are not followable….
I never really liked twitter anyway……………..
Jack Hanington 1361 days ago
Its nice of you to share your IP address with the readers of this post + all of youtube. =D
Just saying… in the bottom right hand corner of your browser is your IP and that you are not on a proxy. Is this the onion router? Good post though.
DaveN 1361 days ago
HI Jack, The IP address the IP of Twitter thats all:)
Amelia Vargo 1360 days ago
Excellent find, it’s a shame that Twitter themselves don’t seem to be doing much about it… Security risks like this will turn many people off using Twitter. Fixing this should be their top priority.
Thanks for highlighting this problem, without people like you this sort of thing would probably go unnoticed for ages!
Sarwar Faruque 1360 days ago
http://www,sarwarfaruque.comExcellent find! Twitter really needs to start patching it’s bugs fast. It seems so easy to execute that people with very little experience can actually start exploiting this. Worse off, it makes Twitter spam even more easier than ever before!
Emil Stenström 1360 days ago
http://friendlybit.comSeems that they suspended apifail2 now too. I wonder if they fixed the bug too?
alfon 1360 days ago
http://staticsilence.comi use twitter too but not really know much about this.. nice info bro..
TravisV 1360 days ago
http://www.itdatabase.comWhat other web app with that degree of popularity is (1) down as often as it is (2) puts wacky restrictions on things like # of searches (3) has gaping security holes? Hard to think of anything as widely used (perhaps IE?) that is as poorly thought out from a technical perspective.
TravisV 1360 days ago
http://www.itdatabase.comErr – obviously I know that IE is a browser (not a web app). But the only real example I can think of where the popularity / quality is as disproportionate.
Elizabeth K. Barone 1360 days ago
http://facebook.com/elizabethbaroneYour test account’s been suspended…
Is this issue fixed yet? I can’t find anything saying it’s been fixed, and the Twitter blog/status sites have absolutely nothing about this, which is downright sketchy to me. I mean, at least acknowledge that there’s a problem!
Steve 1360 days ago
http://www.laokay.comI think they should’ve known better.
Blogs are stripping out all sorts of code out of posts to stop malicious things from happening.
Has nobody learned anything by now?
Steen Öhman 1359 days ago
http://www.ohmanresearch.comGreat stuff …
An article about James Slaters discoveries was just posted in one of the big danish newspapers.
http://ekstrabladet.dk/kup/elektronik/article1212838.ece
Update: Your Twitter Account is Still in Jeopardy | Msn Yahoo Google 1359 days ago
[...] News, WebProNews, Zdnet News, google news, social media, twitter Update: There is now a video up on Dave Naylor’s blog about the Twitter exploit, which I have embedded below. Meanwhile, Twitter has yet to respond to [...]
Update: Your Twitter Account is Still in Jeopardy | Google MSN Search 1359 days ago
[...] is now a video up on Dave Naylor’s blog about the Twitter exploit, which I have embedded below. Meanwhile, Twitter has yet to respond to [...]
Dave 1359 days ago
Pretty pompous of you to expect twitter to immediately answer your every request/question/comment. It’s great that you found the flaw and let them know about it but at the same time you expect them to let you know everything they are doing AS THEY DO IT. Not a few days later after they have a chance to test everything
Rify 1359 days ago
http://www.smile-marketing.co.ccThanks 4 article
David Michaels 1359 days ago
http://www.insidethetourbus.comBad news for everyone who feels the need to tell the world they just brushed their teeth!
Name 1355 days ago
http://hubpages.com/hub/Cupid-Dating-Sites“Unfollow people you don’t know”
Wow that could take awhile. Everyday I get several new followers that I have no clue as to who they are.
Noah 1354 days ago
http://wealthnetpartners.com/blog/I can’t help but wonder how you even discovered this exploit in the first place…
DaveN 1354 days ago
@noah if it ain’t broken stress test it… ps tor ain’t all they are cracked up to be
exit nodes leakage and all that …
Dave
Becky 1354 days ago
http://www.beckynaylor.co.ukhas there been any official word yet if this problem has been fixed .. or do we all just presume its ok agian now?
Twitter Spam and Other Exploits | dropthedigibomb.com 1312 days ago
[...] highly recommend your read David Naylor’s post on Twitter Exploits (Thanks to @Nik_G for sending me this link). It may help prevent you from being [...]
karen 1239 days ago
http://www.satelliteview-of-my-house.comIs that problem still exist on tweeter?Sometimes im using my cellphone to blog but sometimes my tweets dont appear on my twitter page.
Rash 1237 days ago
http://www.webtopvideos.comNever thought such a top service like Twitter can be exploited this easy and makes some really primary school mistakes. Good catch!
Hope twitter gets serious about this and do all necessary fixes to give it’s user a secure way to socialize.
Robin 1183 days ago
http://www.itopsoft.comI think i’ve find just another precious deposits
Brent Payne talks on the State of Search radioshow about giving people different pages - State of Search 969 days ago
[...] New Twitter design Post on David Naylor’s blog [...]
Attack of the Tweets: Major Twitter Flaw Exposed « ROAM DATA Smart mCommerce News 901 days ago
[...] for instance. “Whatever I type in that box will appear at the end of my tweets,” he blogged in a follow-up post. “Anyone who sees that tweet will then be viewing that [...]