From a Twitter flaw to a "web 2.0" worm
Date : November 08, 2010
What is Twitter, how does it work?
In order to understand why a viral code has been able to spread so easily on the Twitter social network, we have to remind you some elements regarding the way it works. Twitter is a microblogging service, but it is probably before all things a social network. Today, Twitter has become an essential communications and information channel, as it is already the case for Facebook for instance. All major companies, online shops, governments and political parties now communicate and inform people via Twitter news feeds.
When you subscribe to the Twitter social network, which is free of charge, you get the ability to:
- Post messages on your Twitter page. These messages are called “tweets” in the Twitter terminology, and can be compared with blog posts, with the exception that they are limited to 140 alphanumerical characters (max). These messages automatically appear in the Twitter homepage of any person who follows your own Twitter feed (this person is called a "follower").
- To follow (to subscribe) other Twitter news feeds, in order to see their posts in your Twitter homepage.
- To retweet something you have read on a Twitter you are following. This process, which is largely involved in the propagation of the worm we are talking in this article, allows you to share an interesting tweet with all your followers (the retweeted message will appear on your Twitter page as if you posted it).
From the elements just listed above, you see that Twitter was designed to propagate tweets from users to users. In particular, it is rather easy to imagine how a tweet that appears harmless, and that has an attractive content, can be relayed in a few minutes from followers to followers, to reach thousands of users, thanks to the retweet feature.
Twitter, a breeding ground for spammers
Twitter, like other social networks such as Facebook, is a platform of choice for sending spam or even for distributing malware. In fact, because of the information spreading capability of that network, malicious persons may see it as a profitable way for sending advertisements as well as spywares.
The way hackers distribute spam on Twitter is as follows:
- The spammer illegally gets the credentials of a number of valid Twitter accounts (mostly using phishing attacks).
- Thanks to the obtained credentials, the attacker connects and publishes messages on the compromised Twitter accounts. As a result, all the followers of the compromised feeds will see the potentially malicious content appearing in their Twitter homepage. The so-called followers, who are probably following the just compromised page for a long time, will not necessarily pay a special attention to this malicious content, since it is published from a Twitter that they may have decided to follow for a long time (the victim implicitly trusts the tweets that come from his subscriptions).
The messages sent by the spammers can simply consist in advertising or in compromising more Twitter accounts by enticing users into clicking on malicious URLs (e.g. a link redirecting to a page that exploits vulnerabilities in the web browser in order to install Trojan horses on the system). As most of the URLs posted on Twitter are shortened, it is very difficult for the user to know in advance where such an URL will finally redirect (this is precisely the topic of one of the Cert-IST article entitled “The danger of URL shortening”).
The attack scenarios presented above are actually intrinsic to any social network, and the infection can spread because most users are careless and blindly trust the other members of the network. But in the rest of this article, we are going to show that the situation is even worse if a real flaw is discovered in the platform hosting the social network.
Behind a worm propagation, an XSS flaw
Because of the overly large amount of information circulating on Twitter and the speed with which the information is spreading over the network, it has been difficult to reconstruct the history of this vulnerability. But according to most of the information we gathered, it seems to be a Japanese man called Masato Kinugawa, who first discovered this Cross-Site Scripting (XSS) flaw in August. As a reminder, an XSS attack consists in inserting active code (usually JavaScript) on a vulnerable website. When a legitimate user of the vulnerable website browses to a compromised page, the JavaScript code is executed in his browser, and is granted the same privileges as the regular user of the site (Twitter in our case). The potentially malicious JavaScript code can thus perform any action which is allowed for the legitimate user.
In August, Masato Kinugawa noticed that it was rather easy to insert JavaScript in tweets, so long as the length of the code doesn’t exceed 140 characters, which is the limit fixed by Twitter. According to him, he reported the flaw on August 14, and Twitter developers quickly fixed it. But around September 21, the vulnerability suddenly resurfaced, apparently after a major upgrade of the web site. At this moment, the young Japanese hacker decided to create a Twitter account named @RainbowTwtr which goal was to demonstrate the vulnerability: when a visitor of this page was simply hovering the mouse cursor upon a link located in a tweet, the tweet was instantly turning into blocks of colour (which look like a rainbow. See for example the screenshots in this article from panda Security). In order to get this result, the hacker used the “onMouseOver” property of hypertext links in HTML, which provides the web browser an action to perform when the given link is hovered by the mouse. It is under this name (onMouseOver) that the attack was later relayed in the press.
Short after, the initial idea was reused by other hackers, to go further in the exploitation of the flaw. For instance:
- First, an Australian teenager called Pearce Delphin (@zzap on Twitter) created tweets that were opening a pop-up window when a visitor was rolling his mouse over them.
- Then, a Norwegian programmer named Magnus Holm (@judofyr on Twitter) went even further, and showed that the flaw could be used to create a self-replicating worm. Whenever a victim was hovering his cursor on an infected tweet (the message being embedded in a solid block of black to hide the viral code), the message was immediately “retweeted”: in other words it was automatically relayed to all the victim’s followers. Holm reported later that his worm, which was strictly harmless if we forget the spreading effect, had infected more than 200.000 Twitter pages.
- Finally, it appears that the main worm, the one which caused the most trouble, was created by a Twitter hacker using the Twitter userid @matsta (Twitter has not been able to identify him). Using the same process, his or her worm spread ferociously from account to account, infecting several hundreds thousands of Twitter pages including the one belonging to the British ex-Prime Minister's wife Sarah Brown (see this illustration showing her infected Twitter). This worm was especially efficient in particular because the infected Twitter page were very difficult to visit without causing the instant infection of your own Twitter account. In fact, as an infected page oftenly shows several tweets in very large characters (the screen could sometimes be practically filled with huge text), it could be nearly impossible to avoid activating the viral code while moving the mouse around. When the JavaScript code of this worm was being activated, it was redirecting the victim to porn websites or websites carrying online surveys, simply to generate clicks and make money (via the "pay-per-click" scheme which we described in 2006 in this article).
Fortunately in this incident, the Twitter development team was very reactive and the platform didn’t remain vulnerable for more than a couple of hours. During this small period of time, no computer infection with real malware was reported. Magnus Holm (one of the hackers who exploited the flaw) nevertheless reported that he observed tweets leading to the download of spyware hosted in Russia, which means that when Twitter fixed the flaw, the worms launched by “amateur hackers” were about to be replaced with gangs of professional cybercriminals.
Conclusion
The propagation of this worm on Twitter in September is very instructive. It shows in particular that a web platform, even if it is very popular, can still be subject to serious security vulnerabilities. Concerning the September incident, we can observe that a flaw as obvious as a "cross-site scripting" in tweets, had not been detected during the website development cycle. Worse, it had first been fixed, and resurfaced later after an update of the platform. We could even insist on this fact saying that this is not the first time that Twitter is exposed to similar XSS vulnerabilities (let’s mention for example these series of worms sent on Twitter by Mikeyy Mooney, a new York hacker, in April 2009).
So, we should be aware that a social network site is not necessarily out of harm's way, even if its popularity may let us think that the platform maintainers do their best to enforce user's security. The recent events do show that using a social network such as Twitter without respecting a number of best practices (using an up-to-date web browser in terms of security updates, using a plug-in that blocks JavaScript by default such as NoScript for Firefox), has become a dangerous behaviour today.
To conclude globally, social networks such as Twitter or Facebook are not only a threat for data confidentiality (users may, voluntarily or not, disclose information regarding their work environment), but they are also a potential entry point for malwares that exploit the weakness of the platform to spread. Social networking website are becoming increasingly complex, interactive and dynamic, which understandably implies a more and more complex code to handle these sites (e.g. the systematic use of the AJAX and HTML 5 technologies to facilitate the exchange of information between the web browser and the server). A complex code is necessarily much more difficult to audit and protect, and we are therefore convinced that the security holes exploited on social networks still have good times ahead.
For more information:
- All about the "onMouseOver" incident (Twitter blog)
- The names and faces behind the ‘onMouseOver’ Twitter worm attack (Sophos)
- Twitter ‘onMouseOver’ security flaw widely exploited (Sophos)
- Twitter onMouseOver Spam (F-Secure)
- Worms Loose on Twitter.com (F-Secure)