The Recent XSS attack on Twitter shows that even big site like twitter are not safe from XSS attack. Twitter is gaining popularity and so malicious users are trying to break it. Mike Mooney a 17-year-old teenager started playing with it as he got bored. After finding a cross-site scripting (XSS) vulnerability in the Twitter application, he altered the code on four Twitter accounts to leverage the new-found vulnerability. Once set up, it was just a matter of waiting, kind of like fishing. Finally someone viewed the profile web page belonging to one of his Twitter accounts and through the magic of a drive-by dropper proudly became the first victim. Finding more victims got a lot easier after that as the worm started propagating using the following steps:
- Each newly-infected Twitter application starts sending unauthorized Twitter messages (tweets) with malicious links to all available contacts found in the compromised Twitter account.
- The flagged Twitter users start receiving tweets from a supposedly trusted contact (social engineering part).
- The tweet asks them to check out a micro-blogging service called StalkDaily.com (hence the worm’s name).
- As soon as the link is clicked, the Twitter application on that computer becomes infected with the worm.
It’s easy to see how the number of victims grows rapidly. Especially if some of the initially infected Twitter accounts have large contact lists.
To make matters worse, users who haven’t received a malicious tweet can also become infected just by looking at a compromised Twitter profile page.
Several strains
The explanation I gave above is the generic overview as there are at least four versions that have surfaced, each exhibiting slightly different social engineering techniques. To Twitter’s credit, they have been able to remove the problem each time, but the underlying Twitter application still appears to be vulnerable to XSS attacks.
How to remove
Even though the developers at Twitter have somewhat rectified the problem, there are still the infected profiles. Here is how you can play safe:
- Clear your browser cache and empty all of your cookies.
- Log out of TweetDeck or any external applications you are using.
- Check the URL and location areas of your profile (in Settings/Account on Twitter.com) for evidence of any malicious scripts. It’ll be obvious — something you haven’t added to these areas yourself. If you find anything, remove it.
- On Twitter.com, change your password.
- Log back in.
- Go back and delete any tweets sent by you recommending StalkDaily. This is important.
- Report @stalkdaily in a tweet to Twitter’s @spam account as follows: @spam @stalkdaily.
How to prevent this
Twittercism also has an excellent blog post that talks about how to prevent worms like StalkDaily and Mikeyy from infecting your Twitter profile. I thought I’d share a few of the more important points:
- Use a Twitter client. It appears that the infection takes place while visiting the profile page, which is easy to do when using the Twitter web interface. To avoid accidentally opening profiles use a Twitter client like TweetDeck.
- Avoid visiting user profiles on Twitter.com. This refers to active links that are advertised in Tweets or email alerts about new followers.
- Be wary about clicking on shortened URLs. URL shorting also comes with SPAM overhead, so use it wisely.
Another big help in fighting this worm as well as other malware is to turn JavaScript off. That may not be possible for many though. If not, I’d recommend using Firefox with the NoScript add on.
Although, XSS attack is pretty common and we will see more exploits in the recent years. Let me know if the above steps help you in resolving the issue. If you’ve got any thoughts, comments or suggestions for things we could add, leave a comment! Also please Subscribe to our RSS for latest tips, tricks and examples on cutting edge stuff.
