Offensive 'goat' worm hits Twitter with cross-site request forgery shortened link posted

News by Dan Raywood

Twitter was hit by a second worm in a week last night that spread offensive messages about goats.

Twitter was hit by a second worm in a week last night that spread offensive messages about goats.

It was hit by the ‘onmouseover' attack last week where users spread suspicious code by simply moving their cursor over another's tweet. Last night's worm saw people tweet ‘I Like Anal Sex With Goats', followed by another that says ‘WTF' and includes a link.

Clicking on the WTF link would take a user to a web page that contained some trivial code, which used a cross-site request forgery (CSRF) technique to automatically post from the visitor's Twitter account.

Among those hit was blogger Zee, who wrote on that he found his account ‘had tweeted something extremely vulgar' and said that it was not long before he discovered that a number of other users had tweeted the same thing.

He said: “That WTF link opens two iframes. It doesn't technically hack your Twitter account but does use your logged in browser session to tweet – this is reportedly called ‘cross-site request forgery'.”

Blogger Christian Heilmann wrote that the Twitter exploit was ‘probably initiated by someone doing a security talk' and said that it was actually easy, as it only requires Twitter to allow updates through the API via iFrame and GET thus being vulnerable to CSRF attack, for to be vulnerable to render code without a secure site around it and executing it and for clients or Twitter automatically applying the link shortener.

He said: “Nothing magical there – all you do is create two SCRIPT files that point to the Twitter update API and send a request to do a post. As the user who clicked on the malicious link is authenticated with Twitter you can send them on his behalf.”

He said that the effects of this are negative because people will stop trusting the shortener after it was actually installed to be a trustworthy link shortener, although the link shortening service was not compromised. He also said that this will be bad as there is a flood of wrong messages on Twitter and that this will break some implementations.

However on a positive note, he said that people will talk about the exploit and how it was done, people will be more conscious about clicking links and that Twitter will have to harden their API against CSRF.

“There is no real defence against CSRF from a user's point of view other than not clicking links you don't trust and turning off JavaScript. As this is a wide definition, we will get those over and over again unless API providers disallow for requests without tokens. This, on the flipside means that implementing one click solutions to tweet or like will be a lot harder,” he said.

Whitehat hacker Ryan Dewhurst wrote on his Twitter page that ‘the Twitter goat worm looks like CSRF issue to me' and that ‘no XSS being exploited'. Blogger Mike Elgan said: “The WFT goat event today raises the interesting fact that tweets with links that say almost nothing are attractive to click on. Why? Because Twitter is a compulsion - we're hunting for something, and use information to eliminate options. Without info, don't eliminate.”

Twitter wrote on its status blog that the issue had been fixed a short time after. It said: “A malicious link is making the rounds that will post a tweet to your account when clicked on. Twitter has disabled the link, and is currently resolving the issue.”

Graham Cluley, senior technology consultant at Sophos, said: “The attack has highlighted an obvious security problem in Twitter which must be addressed as a matter of urgency - otherwise we can expect further (perhaps more dangerous) attacks.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews