Sep 10

Nasty Twitter Worm Outbreak

Several new Internet worms are spreading quite rapidly via a newly-found vulnerability in Twitter.com. While the flaw that powers these attackers will most likely be sewn shut in a matter of hours, if you’re going to frequent Twitter today you’d be wise to use a Twitter client or at least block Javascript on the site, as these worms appear to be spreading with little or no interaction on the part of users.

According to security firm F-Secure Corp., the trouble started earlier today, when several worms began quickly spreading by leveraging a cross-site scripting vulnerability in Twitter that used “onmouseover” techniques, meaning it was enough to move your computer mouse on top of a malicious Tweet to resend the nasty message to all of your followers.

The initial worms apparently began as a proof-of-concept, but a number of new Tweets in the Twitter trending topics page indicate that newer versions are silently redirecting victim PCs to fetch more malicious payloads.

Until this mess gets cleaned up, F-Secure is warning Twitter users to use a Twitter client like TweetDeck to access Twitter instead of using Twitter.com, or to disable Javascript on the domain (always a sound idea). Several readers have pointed out another solution: Use mobile twitter (m.twitter.com), which has no Javascript. Alternatively, just stay logged out of Twitter for the next few hours.

The Twitter user who reportedly discovered the vulnerability — programmer Magnus Holm — remarked on his Twitter feed that in hindsight he probably should have reported the flaw to Twitter, “but when I discovered it, it had already been in the wild for some time, so I assumed they knew it. I’m not responsible for the tweets that blocks the whole screen and retweet. my worm was much less obtrusive.”

Update, 10:05 a.m. ET: I’m reminded now of why I generally don’t write about the Twitter/Facebook malware threats-of-the-day: Because they’re usually no longer a threat by the time you write a blog post about them! Twitter is now reporting that it has fixed the vulnerability.

Update, 1:31 p.m. ET: Twitter’s security chief Bob Lord now has a blog post describing what happened with this worm. Lord writes: “This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.” More here.


  1. This is another good argument for using Firefox with NoScript (http://noscript.net/), which intercepts cross-site scripting attacks.

  2. My startup NoScript settings are: 1) Temporarily allow top-level sites by default = OFF. 2) There are only a handful of sites in my white list, including Google and my workplace. 3) Allow scripts globally = OFF.

    When I allow scripting on a site, it is temporarily only, so that it will reset to off, when I exit Firefox. And I temporarily allow only the top-level site, and add subordinate sites, only as needed, one at a time. Ad sites, that might contain malware, never get allowed.

    I also use Verify Redirect.

  3. Ruh roh, twouble with twitters….. ;P


  4. My protection is simple. I am not a member of any social/info sites. I tend to feel they are useless and bring in more drama than benefit.

  5. I often wonder why exploits such as this are just displaying pranks. Imagine the potential as a deliver platform for malware for both mobile devices and desktops.

    I wonder when that day might come.

    I’m now reminded of why I don’t use Twitter other than the fact that I really don’t care if my buddy is taking a shower right now.

    • ISC Sans had an interesting post recently (http://isc.sans.edu/diary.html?storyid=9556) about how the Facebook “Like” feature was being used in a mischievous way. This time is was only used to direct people to ad type sites. Next time it could be malicious! Considering the number of people using these social networking sites, the potential damage could be considerable!

  6. Brian, even the threat is old, I think many (including me) still finds things like this interesting.

    As a general question, what things (as worst) malicious Javascript can do, while NoScript is set to temporarily allow top-level sites by default? How much those things differ between Windows and Linux?