Another Day, Another Twitter Exploit

by James Slater
Bronco - Digital Marketing Agency

Apologies to anyone out there who’s not a Twitter fan (e.g. our very own Carps springs to mind), but this is another Twitter exploit post. If you do use Twitter you’ll likely already have seen this one in action today, and if you don’t, you won’t be interested. Oh well.

The Problem

The actual exploit as I first saw it is quite simple. All it’s based on is sending out a tweet starting with http://t.co/@ and continuing with whatever HTML you want to inject into the page. t.co is Twitter’s homegrown URL shortener, and I would guess that something in their escaping logic is trusting it more than it should. Certainly the http://a.bc/@ I tried didn’t work.

The Worm

Somebody – perhaps not the person who originally discovered the issue – used it to inject a bit of code into their Twitter feed:

<a href=”http://t.co/@”onmouseover=”document.getElementById(‘status’).value=’RT jamslater’;$(‘.status-update-form’).submit();”class=”modal-overlay”/” rel=”nofollow” target=”_blank”>http://t.co/@”onmouseover=”document.getElementById(‘status’).value=’RT jamslater’;$(‘.status-update-form’).submit();”class=”modal-overlay”/</a>

Name changed to protect the guilty.

Neat. In a nutshell, if you hover your mouse cursor over the t.co link (“onmouseover”) the JavaScript code is executed. All that does in this case is fills in your status at the top of the screen (the “What’s happening?” box) with “RT jamslater” and virtually clicks the Tweet button for you. No, I didn’t know you could retweet someone by doing that, either.

That’s how it’s spreading so fast and how every other tweet you see at the moment probably mentions it. By hovering over an affected tweet you’ll likely have retweeted it to your followers, perpetuating the cycle. This is fairly similar to the Samy worm that hit MySpace (remember them?) a few years ago.

It Could Be Worse

The code I found and examined above is fairly innocuous, if annoying. However, it isn’t limited to just sending retweets, it can essentially do anything that the Twitter website can. Send DMs, follow or unfollow people, send your login cookie off to somewhere nefarious, etc. It probably can’t change your password (you have to confirm your old one for that, thankfully) but my advice for the moment is definitely to sign out of twitter.com if you’re already on it. If not, leave and don’t come back until this issue is fixed.

External Twitter clients should be fine, unless they happen to suffer from the exact same bug. I’ve not heard of any issues outside of twitter.com.

tl;dr – Stay off the Twitter website for today. You’ve probably got work to do anyway.

Quick update: Twitter have patched it. They are “rolling out an update” at the moment.

Final update: The exploit has been patched. Panic over. Amusingly, an open source repository of Twitter related code, controlled by a Twitter employee, has a fix in it for this exact issue dated August 23rd. Very odd that the same fix wasn’t commited to their website, especially given the public nature of the above code. It seems that they might very well have brought this on themselves.

Bronco - Digital Marketing Agency
Making your inbox more interesting
Looking to keep up to date, or find out those things we can’t mention on the blog? Then sign up to our semi-regular newsletter. Don’t worry, we won’t spam you.

11 Comments

Get in Touch

Things are better when they’re made simpler. That’s why the David Naylor blog is now just that; a blog. No sales pages, no contact form - just interesting* info about SEO.

If you’d like to find out more about the Digital Marketing services we do provide then head over to Bronco (our main company website) to get in touch.

Get in Touch Today * Interestingness not guaranteed
Part of the Bronco family