Tuesday, September 21, 2010

Twitter Hit With Major XSS Hack

twitter logoJust after 7:30am EST this morning Twitter was hit with a major XSS hack that spread like wildfire. The bug was first discovered by security researchers at Kaspersky Lab who then noted that the several Twitter accounts had already been hit.

"Apparently, there is an actively exploited XSS vulnerability on Twitter. From my first preliminary analysis, you'll have to hover over a link to activate it and so far I have just seen some proof of concepts from people I follow. However, this vulnerability looks at least semi-wormable, so better turn JavaScript off on Twitter for now," Kaspersky Lab researcher Georg Wicherski said in a blog post on the bug.

In all it is expected that more than 500,000 users may have been hit by the the exploit before Twitter could patch the hole. According to a post by Del Harvey (@delbius), the head of Twitter's Trust and Safety Team the security hole was patched at about 9:45 AM ET.

The original attacks leveraged a common javascript feature, onmouseover, which showed a pop-up window that displays the logged-in user's Twitter cookie. The attack later incorporated a cross-site request forgery component that forced users to retweet a piece of code.

Update: Twitter has now responded to the issue: All about the "onMouseOver" incident

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you