Hacking News

XSS su Twitter, siamo a rischio worm

E’ di tipo onMouseOver l’XSS che si sta diffondendo a macchia d’olio su twitter proprio in queste ore.
Si riconosce immediatamante dal fatto che il twitt ha uno sfondo completamente nero:

Il codice che viene richiamato è il seguente:

Versione testo:”onmouseover=”;$(‘textarea:first’).val(this.innerHTML);$(‘.status-update-form’).submit()” style=”color:#000;background:#000;/

Il codice non fa’ niente di speciale se non re-twittare il bug anche sul vostro profilo.
Niente di pericoloso per ora, ma il rischio worm è molto elevato.
Dal sito della Sophos si legge:

The Twitter website is being widely exploited by users who have stumbled across a flaw which allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link. Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister. It appears that in Sarah Brown’s case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan. That’s obviously bad news for her followers – over one million of them. To Mrs Brown’s credit, she has posted a warning on her Twitter page: “don’t touch the earlier tweet – this twitter feed has something very odd going on ! Sarah”… Some users are also exploiting the loophole to create tweets that contain blocks of colour (known as “rainbow tweets”). Because these messages can hide their true content they might prove hard for some users to resist clicking on them.

Sembra che lo spunto per il worm sia venuto vedendo questo profilo  twitter (RainbowTwtr) il quale creava un effetto arcobaleno se si passava sopra con il mouse.
Possiamo affermare inoltre che le applicazioni create con le API di twitter non sono in grado di riprodurre il bug.
Per quanto riguarda le versioni mobile di twitter (testato sul mio Android), il bug non si presenta.

Aggiornamento alle 6:50 PDT, 13:50 UTC: Un post ufficiale dallo staff di twitter conferma che il bug è stato pecciato.
Dal blog ufficiale di twitter è uscito un post in cui spiega tutto il problema:

The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed.

The longer story: The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user.

We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Early this morning, a user noticed the security hole and took advantage of it on First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an “onMouseOver” flaw — the exploit occurred when someone moused over a link.

Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge.

This exploit affected and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.

We’re not only focused on quickly resolving exploits when they surface but also on identifying possible vulnerabilities beforehand. This issue is now resolved. We apologize to those who may have encountered it.

Ulteriori aggiornamenti saranno postati in questo articolo

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.