Twitter was hit with a cross-site scripting vulnerability Tuesday morning (21.9.2010) that could redirect users to dangerous sites.
As explained and demonstrated in some detail by Sophos's Graham Cluley, the attack has already been used to mess with the Twitter page of Sarah Brown, wife of the former British Prime Minister, among others. That attack redirected users to a porn site based in Japan, but worse things are possible.
Redirects could be used to send users to sites that deliver malware, to phishing sites, or other mischievous places.
Because the attack's bait looked so innocuous -- it's not uncommon for Twitter users to play around with funny embedded graphics in their otherwise text-only updates -- many people fell for them. Around Washington, the best known may have been White House press secretary Robert Gibbs; the crestfallen update he sent right after getting suckered appears in the image at right. (Poor guy.)
Twitter quickly posted warnings on its status blog and its "@Safety" Twitter account. About an hour later, it had fixed its old site to close the vulnerability.
Users of the redesigned version of Twitter were not affected, nor were those using mobile versions of the site or such separate applications as TweetDeck or Twitterfall. But because this attack -- in technical terms, a "cross-site scripting" -- took advantage of nothing more complicated than a Web browser's support for JavaScript coding, pretty much everybody else was vulnerable.
Twitter users have reported that they got hit in both Windows and Mac OS X while using the latest versions of generally more secure browsers such as Mozilla Firefox and Google's Chrome. (Weirdly enough, others have told me they weren't affected while running similar software configurations.) An anti-virus program would not have helped, as the attack didn't involve running a separate program.
We're only going to see more of this nonsense as our applications increasingly take the form of Web sites. Web users need to retain a healthy level of suspicion online, and browser developers need to stay on top of these threats. But it's even more important for Web developers to spot and stomp these flaws as soon as they can.
One good defense is to use a third-party, non-HTML based Twitter client. Some could be vulnerable, but it's less likely.
The solution for Twitter, filtering out JavaScript, should be relatively straightforward and may be applied by the time you read this.
By 9am Eastern time, it appeared that Twitter had fixed the bug, but it made an appearance again just 15 minutes later. Shortly thereafter, Twitter said via its @safety feed that "the XSS attack should now be fully patched and no longer exploitable."
