Twitter hit by worm that infects other tweets with rogue code

News by Dan Raywood

Twitter has been hit by a massive cross-site scripting worm with its users spreading suspicious code by simply moving their cursor over another's tweet.

Twitter has been hit by a massive cross-site scripting worm with its users spreading suspicious code by simply moving their cursor over another's tweet.

Appearing either as code, as a word which users are accidentally re-tweeting or as a coloured ‘block'. The attack has been going on for over an hour at the time of writing and appears to have no end in sight.

The code redirects users to third-party websites without their consent and uses a JavaScript function called ‘onMouseOver', which is currently being used as a name for the situation.

Graham Cluley, senior technology consultant Graham Cluley at Sophos, commented that thousands of Twitter accounts have posted messages exploiting the flaw, with victims including Sarah Brown, wife of former Prime Minister Gordon Brown, who had a tweet redirect over a million users to hardcore porn site based in Japan.

Cluley initially said that the exploit was being used for fun, but it could be used to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed.

He said: “Some users are also seemingly deliberately exploiting the loophole to create tweets that contain blocks of colour (known as 'rainbow tweets'). Because these messages can hide their true content they might prove too hard for some users to resist clicking on them.”

F-Secure CTO Mikko Hypponen confirmed this view, saying: “While Twitter's security team is scrambling to close this loophole, we expect the problems to continue. It's perfectly possible that there will be more malicious attack, possibly combining this technique with browser exploits.”

Costin Raiu, director of global research and analysis team at Kaspersky Lab, commented that at the moment there is ‘roughly 100 new infected users per second' with the new worm.

Kaspersky Lab's Georg Wicherski said: “It's one of these days where I just had one of these 'Oh no...' moments when I logged into my Twitter account and suddenly a message box with my cookie popped up.

“From my first preliminary analysis, you'll have to hover over a link to activate it and so far I have just seen some proof of concepts from people I follow. However, this vulnerability looks at least semi-wormable, so better turn JavaScript off on Twitter for now.”

He later confirmed that the vulnerability can be exploited with no user interaction automatically, and that it is possible to load secondary JavaScript from an external URL with no user interaction, which makes this definitely wormable and dangerous.

Security experts have advised that the best course of action is to use third-party apps such as TweetDeck to access Twitter, as the bug only seems to affect Twitter's web interface. Also, if your Twitter account contains a message abusing the flaw, you can delete it using a third-party app. At the time of writing there has been no response or action from Twitter.

Christopher Boyd, senior threat researcher at GFI Software, said: "While there's a possibility that bad actors may use this to direct end-users to malware and phish pages, I'd like to think Twitter will have this under control before that happens. However, we are surprised that Twitter has not suspended the main web site while it works on a fix."

Update - Writing via its Safety page, Twitter said that it has identified the issue and is patching against the cross-site scripting attack.

Update - The worm appears to have been written by Magnus Holm, who said that as far as he knew he started the first worm, but could not say for sure.

Writing on his Twitter page, he said: “I guess I should have reported the hole, but when I discovered it, it had already been in the wild for some time, so I assumed they knew it.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews