Posted by: Robert Westervelt
cross site scripting, web application flaws, XSS
A worm attack designed by a 17-year-old hoping to promote a rival social network wreaked havoc on Twitter, but also highlighted the importance of finding and repairing Web application flaws.
A 17-year-old hacker claimed responsibility for attacking the Twitter microblogging service, crippling thousands of accounts with a worm designed to promote his social network.
The worm spread via a social engineering technique. The hacker first tricked users into clicking on a link to a rival social network. The link infected machines and exploited a cross-site scripting error to use the victim’s profile list to broadcast the malicious link to other users.
The attack was another example of the threat against social networks, where users post data that could be harvested and potentially valuable on the black market. Users of Facebook, MySpace and other social networks have been targeted by phishing attacks serving up malware designed to steal address books and other sensitive data. Experts say it’s easy to be duped by a malicious link or fall victim to Web application attacks within social networks.
In a message to Twitter users, the company’s co-founder Biz Stone said the attack was similar to the Samy worm, which spread on MySpace. “No passwords, phone numbers, or other sensitive information was compromised as part of these attacks,” Stone wrote in a blog entry.
The attack began at 2 a.m. on Saturday. It spread for about 3.5 hours until Twitter’s security team could identify and eradicate the worm. About 90 accounts were compromised. A second wave compromised another 100 accounts. Attacks continued with another wave on Sunday and again on Monday prompting the security team to delete about 10,000 tweets that could have continued to spread the worm.
“Every time we battle an attack, we evaluate our Web coding practices to learn how we can do better to prevent them in the future,” Stone said. “We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.”
The attack is a reminder of the need to address Web application errors now, so developers of these applications clean up their poor coding practices. The OWASP Foundation has taken the lead on spreading the word to developers and companies using Web applications about the importance of security. But volunteers can’t do it all on their own. At some point social networks may need to band together to mop up coding errors and guard against attacks in a coordinated manner. They owe it to their customers, who have remained loyal even in the face of ongoing threats.