Twitter fixes XSS flaw after being exploited

Share this article:
Cybercriminals this week took advantage of a cross-site scripting (XSS) vulnerability on Twitter that since has been fixed, according to security researchers.

A malicious JavaScript payload distributed on Twitter took advantage of the XSS flaw to steal users' session cookies and send them to two attacker-controlled servers, Stefan Tanase, security researcher for anti-virus firm Kaspersky, wrote in a blog post Tuesday. The malicious payload was being distributed via malicious links included in tweets.

Written in Portuguese, the malicious tweet claimed that Brazilian pop band Restart had suffered a “tragic accident.”

Simply clicking on one of the shortened links caused a user's account to be compromised. Web statistics from URL redirection service bit.ly indicate that one of the links used in the attack was clicked more than 116,000 times. 

Based on the content of the tweet, researchers believe the attack originated from Brazil. Moreover, the domains used in the attack were registered under Brazilian names and one of them was hosted in the South American country.

Twitter fixed the vulnerability shortly after attackers began exploiting it, according to Kaspersky. Additionally, Twitter reset passwords belonging to individuals who appeared to have been affected, a company spokeswoman told SCMagazineUS.com on Wednesday

The flaw, which affected the Twitter developer platform search field, was first disclosed on July 29 by a researcher using the handle “cbr,” according to the XSSed project, an online archive of XSS flaws.

Earlier this week, Mike Bailey, senior security researcher at vulnerability assessment and testing firm MAD Security, released a proof-of-concept on Twitter that exploited the vulnerability. When clicked, the demonstration caused users to Tweet "@mckt_ (Bailey's Twitter handle) just compromised my Twitter account with XSS. http://bit.ly/bvnkDB #twitterXSS.”

“These things are ridiculously easy to attack,” Bailey wrote. “While this demo requires interaction, it doesn't have to. The entire attack could just as easily be completely silent.”

Over the summer, bug hunters reported at least three other XSS vulnerabilities on Twitter, all of which were quickly fixed, according to the XSSed project.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.