By Daniel Peck, Research Scientist
Earlier today Twitter was the target/medium of a large scale cross site scripting (XSS) spam/attack demonstration.
In the wee hours of the morning, Pearce Delphin, @zzap, discovered that when embedding a URL in a tweet, script code following an ‘@' character in the link was executed in the context of the page hosting the link, in this case twitter.com. Before long, Twitter was ablaze and as of this writing “onmouseover” is still a trending topic. Throughout the day, people were using the XSS for pranks (rickrolling) to demonstrate cookie theft, to redirect to porn sites, to push quite a bit of spam, and to deliver a few instances of sites hosting exploits.
Several high profile Twitter accounts were hit by the exploit (and in turn began exploiting people themselves) including Sarah Brown, wife of ex prime minister of the UK Gordon Brown, and the official account of the White House (@presssec).
Twitter has fixed the vulnerability, though we're seeing reports that the patch wasn't complete and only blocked that particular exploit instead of the vulnerability itself (an all too common problem). It is unfortunate that just a couple weeks after launching new features on the site that gave users more reasons to use twitter.com, this most recent example of XSS gives users a reason to second guess that and stick with clients for now.