Several new Internet worms are spreading quite rapidly via a newly-found vulnerability in Twitter.com. While the flaw that powers these attackers will most likely be sewn shut in a matter of hours, if you’re going to frequent Twitter today you’d be wise to use a Twitter client or at least block Javascript on the site, as these worms appear to be spreading with little or no interaction on the part of users.
According to security firm F-Secure Corp., the trouble started earlier today, when several worms began quickly spreading by leveraging a cross-site scripting vulnerability in Twitter that used “onmouseover” techniques, meaning it was enough to move your computer mouse on top of a malicious Tweet to resend the nasty message to all of your followers.
The initial worms apparently began as a proof-of-concept, but a number of new Tweets in the Twitter trending topics page indicate that newer versions are silently redirecting victim PCs to fetch more malicious payloads.
Until this mess gets cleaned up, F-Secure is warning Twitter users to use a Twitter client like TweetDeck to access Twitter instead of using Twitter.com, or to disable Javascript on the domain (always a sound idea). Several readers have pointed out another solution: Use mobile twitter (m.twitter.com), which has no Javascript. Alternatively, just stay logged out of Twitter for the next few hours.
The Twitter user who reportedly discovered the vulnerability — programmer Magnus Holm — remarked on his Twitter feed that in hindsight he probably should have reported the flaw to Twitter, “but when I discovered it, it had already been in the wild for some time, so I assumed they knew it. I’m not responsible for the tweets that blocks the whole screen and retweet. my worm was much less obtrusive.”
Update, 10:05 a.m. ET: I’m reminded now of why I generally don’t write about the Twitter/Facebook malware threats-of-the-day: Because they’re usually no longer a threat by the time you write a blog post about them! Twitter is now reporting that it has fixed the vulnerability.
Update, 1:31 p.m. ET: Twitter’s security chief Bob Lord now has a blog post describing what happened with this worm. Lord writes: “This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.” More here.
This is another good argument for using Firefox with NoScript (http://noscript.net/), which intercepts cross-site scripting attacks.
Doh! I meant to mention that in the blog post. Thanks, Bill.
Unrelated to this incident specifically, but good advice nonetheless, is that users should use Flashblock or similar in conjunction with NoScript. It is true that NS blocks Flash, but if you instruct the plugin to temporarily allow scripts on a page, it will also launch any Flash there as well. Flashblock allows you to view the site but still selectively activate Flash elements.
Following your suggestion I installed FlashBlock (to use with no script) but I right away uninstalled FlashBlock because JavaScript must be running for it to work. JavaScript is a bigger devil than Flash, and I haven’t had it on my computer in months.
You don’t actually need FlashBlock, just “NoScript Options|Embeddings|Apply these restrictions to whitelisted sites too”.
BTW, you can’t rely on FlashBlock for your security, see http://hackademix.net/2008/06/08/block-rick/ and http://hackademix.net/2010/09/14/yet-another-adobe-flash-unpatched-vulnerability-actively-exploited-in-the-wild/
Yes, that’s how mine’s set up. Many, many thanks for NoScript. It was a devil to drive the first time I (non-geek) tried it but can’t live without it now. Applause! Applause!
Running noscript didn’t prevent the issue for me. Running the latest version with pretty much default config…
Hi Victor — Is it possible you had already told Noscript to allow scripting on Twitter.com?
Looks like thats what happened indeed Brian, please disregard my remark on noscript. Going to review my noscript settings now 🙂
Well . . . the way I use Twitter, when I’m reading tweets I have No Script blocking almost all scripts. But . but, when I want to post I allow all scripts! Well at least I did.
THUS A QUESTION: What scripts can I keep Off and still post? – David
My startup NoScript settings are: 1) Temporarily allow top-level sites by default = OFF. 2) There are only a handful of sites in my white list, including Google and my workplace. 3) Allow scripts globally = OFF.
When I allow scripting on a site, it is temporarily only, so that it will reset to off, when I exit Firefox. And I temporarily allow only the top-level site, and add subordinate sites, only as needed, one at a time. Ad sites, that might contain malware, never get allowed.
I also use Verify Redirect.
Ruh roh, twouble with twitters….. ;P
http://www.youtube.com/watch?v=PN2HAroA12w
My protection is simple. I am not a member of any social/info sites. I tend to feel they are useless and bring in more drama than benefit.
The only thing I find more annoying than the “Follow me on Twitter” or the “Join me on Facebook” (sorry Brian) are the television/radio ads to “Ask your doctor about…””
Ask your doctor about Tequila 😛
http://www.youtube.com/watch?v=EldQzTxSKMM
But, I guess to each his own, although this about sums it up:
http://www.youtube.com/watch?v=KHAZt-Exuaw
😛
I often wonder why exploits such as this are just displaying pranks. Imagine the potential as a deliver platform for malware for both mobile devices and desktops.
I wonder when that day might come.
I’m now reminded of why I don’t use Twitter other than the fact that I really don’t care if my buddy is taking a shower right now.
ISC Sans had an interesting post recently (http://isc.sans.edu/diary.html?storyid=9556) about how the Facebook “Like” feature was being used in a mischievous way. This time is was only used to direct people to ad type sites. Next time it could be malicious! Considering the number of people using these social networking sites, the potential damage could be considerable!
Brian, even the threat is old, I think many (including me) still finds things like this interesting.
As a general question, what things (as worst) malicious Javascript can do, while NoScript is set to temporarily allow top-level sites by default? How much those things differ between Windows and Linux?