Article written on 08 November 2010
In this article, we come back on a flaw discovered on the Twitter social network during last September, which could have led to the massive compromise of hundreds of thousands of computers worldwide, if it had been used by malicious hackers. From a technical point of view, a "web 2.0" worm is very different from traditional worms such as Sasser or more recently Conficker, but it is not necessarily less dangerous, in particular because Twitter is build on the principle that information circulate from users to users, within the community.
What is Twitter, how does it work?
In order to understand why a viral code has been able to spread so easily on the Twitter social network, we have to remind you some elements regarding the way it works. Twitter is a microblogging service, but it is probably before all things a social network. Today, Twitter has become an essential communications and information channel, as it is already the case for Facebook for instance. All major companies, online shops, governments and political parties now communicate and inform people via Twitter news feeds.
When you subscribe to the Twitter social network, which is free of charge, you get the ability to:
From the elements just listed above, you see that Twitter was designed to propagate tweets from users to users. In particular, it is rather easy to imagine how a tweet that appears harmless, and that has an attractive content, can be relayed in a few minutes from followers to followers, to reach thousands of users, thanks to the retweet feature.
Twitter, a breeding ground for spammers
Twitter, like other social networks such as Facebook, is a platform of choice for sending spam or even for distributing malware. In fact, because of the information spreading capability of that network, malicious persons may see it as a profitable way for sending advertisements as well as spywares.
The way hackers distribute spam on Twitter is as follows:
The messages sent by the spammers can simply consist in advertising or in compromising more Twitter accounts by enticing users into clicking on malicious URLs (e.g. a link redirecting to a page that exploits vulnerabilities in the web browser in order to install Trojan horses on the system). As most of the URLs posted on Twitter are shortened, it is very difficult for the user to know in advance where such an URL will finally redirect (this is precisely the topic of one of the Cert-IST article entitled “The danger of URL shortening”).
The attack scenarios presented above are actually intrinsic to any social network, and the infection can spread because most users are careless and blindly trust the other members of the network. But in the rest of this article, we are going to show that the situation is even worse if a real flaw is discovered in the platform hosting the social network.
Behind a worm propagation, an XSS flaw
Short after, the initial idea was reused by other hackers, to go further in the exploitation of the flaw. For instance:
Fortunately in this incident, the Twitter development team was very reactive and the platform didn’t remain vulnerable for more than a couple of hours. During this small period of time, no computer infection with real malware was reported. Magnus Holm (one of the hackers who exploited the flaw) nevertheless reported that he observed tweets leading to the download of spyware hosted in Russia, which means that when Twitter fixed the flaw, the worms launched by “amateur hackers” were about to be replaced with gangs of professional cybercriminals.
The propagation of this worm on Twitter in September is very instructive. It shows in particular that a web platform, even if it is very popular, can still be subject to serious security vulnerabilities. Concerning the September incident, we can observe that a flaw as obvious as a "cross-site scripting" in tweets, had not been detected during the website development cycle. Worse, it had first been fixed, and resurfaced later after an update of the platform. We could even insist on this fact saying that this is not the first time that Twitter is exposed to similar XSS vulnerabilities (let’s mention for example these series of worms sent on Twitter by Mikeyy Mooney, a new York hacker, in April 2009).
To conclude globally, social networks such as Twitter or Facebook are not only a threat for data confidentiality (users may, voluntarily or not, disclose information regarding their work environment), but they are also a potential entry point for malwares that exploit the weakness of the platform to spread. Social networking website are becoming increasingly complex, interactive and dynamic, which understandably implies a more and more complex code to handle these sites (e.g. the systematic use of the AJAX and HTML 5 technologies to facilitate the exchange of information between the web browser and the server). A complex code is necessarily much more difficult to audit and protect, and we are therefore convinced that the security holes exploited on social networks still have good times ahead.
For more information: