Not knowing any better, the browser runs this code. This means that executable content (the onMouseOver="stuff" bit) has ended up in the page source code. That link would generate the following page source: The raw text of the exploit tweet would read something like Twitter didn't protect properly, probably because the character combination broke their parser. The exploit attacked that link-making function. When you view the Twitter web page, that becomes a link, like so: Suppose you write a tweet with the following text: The exploit was a classic piece of Javascript injection. Richard Gaywood, a British developer and blogger, explains: 25 minutes later, it had solved the problem: "The XSS attack should now be fully patched and no longer exploitable. At 2.35pm BST - or 6.35am at Twitter HQ - it put out its first warnings. While all this was going on, Twitter was only just waking up. Only users of itself were affected nobody using third-party software clients, which represent the majority of users, were infected because those programs correctly escaped the URL (see below, How the hack works). A fresh mutation didn't wait for you to put your mouse over the link (as the warnings about that began appearing within minutes): a revised version turned the whole of the page into a "link", so that any Twitter user who was signed in would automatically retweet the infected link to their followers. Some were used by a Russian site others by a Japanese hard-core pornography site. Others picked the idea up and mutations began to appear. I think this is exponential: "3381 more results since you started searching," he said - adding, a few minutes later " This is scary." Then within a few minutes he saw that it had started spreading virally. the users can just delete the tweet :( he wrote. He spotted the idea and began playing with the idea - and then had the idea of extending the code so that it would retweet itself using the account of anyone signed in to when they moused over the link.Īt first he thought the worm wouldn't really do anything: meh, this worm doesn't really scale. It's not clear whether some people had had the same idea, or realised the weakness, but next to spot the possibilty was a Scandinavian developer, Magnus Holm. Timing was key: on the west coast of the US, where Twitter is sited, it was the middle of the night, so nobody would have been watching for security flaws. He says that he reported an XSS vulnerability to Twitter on August 14 - and then discovered that the "new" Twitter, launched on Tuesday 14 September, had the same problem.Īt about 10am BST (the afternoon in Japan, where he is based) he set up a Twitter account called "Rainbow Twtr", which showed how the XSS weakness could be used to make tweets turn into different colours. The original discovery of the weakness, known as a "cross-site scripting" (XSS) hack, seems to have been made by a Japanese developer called Masato Kinugawa.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |