Twitter Attack via JavaScript Exploit

Hundred’s of thousands of twitter users were hit Sunday with a Javascript code that redirects users to a site with a goat. Then it displays an obscene message.

The url and Javascript code is

http://pastehtml.com/view/1b7xk3b.html

var el1 = document.createElement(’iframe’);
var el2 = document.createElement(’iframe’);
el1.style.visibility =”hidden”;
el2.style.visibility =”hidden”;
el1.src =  “http://twitter.com/share/update?status=WTF:%20″ + window.location;
el2.src =  “http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats”;
document.getElementsByTagName(”body”)[0].appendChild(el1);
document.getElementsByTagName(”body”)[0].appendChild(el2);

The  code snippet above appears to affect only certain Windows-based browsers. Apparently  if you have Chrome on Linux you may not be affected.

The tweet starts with “WTF”. So avoid that link.

To See some of the remarks about this tweet go here. (Note: it is safe to view, but may be embarrassing. )

How it Works

That WTF link opens two iframes. But  It doesn’t technically hack your Twitter account. Instead it uses your logged in browser session to tweet.  From a security format,  this is  called  “cross-site request forgery”.

Cross-site request forgery,  is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. This is unlike cross-site scripting (XSS), which exploits the trust that a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

The exploit is actually easy – the main ingredients are:

  • Twitter allowing updates through the API via IFRAMES and GET thus being vulnerable to CSRF attacks
  • PasteHTML.com being vulnerable to render code without a secure site around it and executing it
  • Clients or Twitter automatically applying the t.co link shortener

The code is nothing special.  You create two SCRIPT files that point to the twitter update API and send a request to do a post.Then as the user who clicked on the malicious link is authenticated with Twitter you can send them to the site on his behalf.  This is the same trick that worked for the “Don’t click this button”  exploit.

Source Social Media

,