Threat Management, Vulnerability Management

Twitter recovers after second worm attack in a week


Twitter is cleaning up from another fast-spreading worm that took advantage of a popular class of vulnerabilities and the inherent trust many users have for the microblogging site.

In Sunday's incident, users who were logged into their Twitter accounts and clicked on a malicious link contained in a tweet simply stating "WTF" automatically tweeted out a sexually explicit message involving goats, as well as a copy of the message to which they fell victim.

"All the user sees if they visit the link is a blank page, but behind the scenes it has sent messages to Twitter to post from your account," Graham Cluley, senior technology consultant at security firm Sophos, wrote in a Sunday blog post. "The messages obviously couldn't be sent if you weren't logged into Twitter at the time you clicked on the link."

Twitter, in a blog post Sunday, said it had stopped the spread of the worm by fixing a vulnerability and that it was working to delete any tweets that contained the malicious link.

"Chances are that the reason why this attack spread so speedily is that people were curious to find out what they would find at the end of a link only described as 'WTF,'" Cluley wrote. "[T]he attack has highlighted an obvious security problem in Twitter which must be addressed as a matter of urgency."

The worm was able to spread on the Twitter platform thanks to a cross-site request forgery vulnerability, a popular attack class that leverages the trust a particular website has for an authenticated user.

Days earlier, an even more infectious worm spread through Twitter by taking advantage of a cross-site scripting vulnerability that opened a pop-up box or a spam or pornographic website in a user's browser if they simply moused over a malicious link contained in a tweet. Hundreds of thousands of Twitter users reportedly were affected before Twitter plugged the hole.

A Japanese hacker reportedly took credit for the worm and said he launched it to make Twitter aware of the insecurity of its site.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.