What is Twitter, how does it work?
In order to understand why a viral code has been able to spread so easily on the Twitter social network, we have to remind you some elements regarding the way it works. Twitter is a microblogging service, but it is probably before all things a social network. Today, Twitter has become an essential communications and information channel, as it is already the case for Facebook for instance. All major companies, online shops, governments and political parties now communicate and inform people via Twitter news feeds.
When you subscribe to the Twitter social network, which is free of charge, you get the ability to:
- Post messages on your Twitter page. These messages are called “tweets” in the Twitter terminology, and can be compared with blog posts, with the exception that they are limited to 140 alphanumerical characters (max). These messages automatically appear in the Twitter homepage of any person who follows your own Twitter feed (this person is called a "follower").
- To follow (to subscribe) other Twitter news feeds, in order to see their posts in your Twitter homepage.
- To retweet something you have read on a Twitter you are following. This process, which is largely involved in the propagation of the worm we are talking in this article, allows you to share an interesting tweet with all your followers (the retweeted message will appear on your Twitter page as if you posted it).
From the elements just listed above, you see that Twitter was designed to propagate tweets from users to users. In particular, it is rather easy to imagine how a tweet that appears harmless, and that has an attractive content, can be relayed in a few minutes from followers to followers, to reach thousands of users, thanks to the retweet feature.
Twitter, a breeding ground for spammers
Twitter, like other social networks such as Facebook, is a platform of choice for sending spam or even for distributing malware. In fact, because of the information spreading capability of that network, malicious persons may see it as a profitable way for sending advertisements as well as spywares.
The way hackers distribute spam on Twitter is as follows:
- The spammer illegally gets the credentials of a number of valid Twitter accounts (mostly using phishing attacks).
- Thanks to the obtained credentials, the attacker connects and publishes messages on the compromised Twitter accounts. As a result, all the followers of the compromised feeds will see the potentially malicious content appearing in their Twitter homepage. The so-called followers, who are probably following the just compromised page for a long time, will not necessarily pay a special attention to this malicious content, since it is published from a Twitter that they may have decided to follow for a long time (the victim implicitly trusts the tweets that come from his subscriptions).
The messages sent by the spammers can simply consist in advertising or in compromising more Twitter accounts by enticing users into clicking on malicious URLs (e.g. a link redirecting to a page that exploits vulnerabilities in the web browser in order to install Trojan horses on the system). As most of the URLs posted on Twitter are shortened, it is very difficult for the user to know in advance where such an URL will finally redirect (this is precisely the topic of one of the Cert-IST article entitled “The danger of URL shortening”).
The attack scenarios presented above are actually intrinsic to any social network, and the infection can spread because most users are careless and blindly trust the other members of the network. But in the rest of this article, we are going to show that the situation is even worse if a real flaw is discovered in the platform hosting the social network.
Behind a worm propagation, an XSS flaw
Short after, the initial idea was reused by other hackers, to go further in the exploitation of the flaw. For instance:
- First, an Australian teenager called Pearce Delphin (@zzap on Twitter) created tweets that were opening a pop-up window when a visitor was rolling his mouse over them.
- Then, a Norwegian programmer named Magnus Holm (@judofyr on Twitter) went even further, and showed that the flaw could be used to create a self-replicating worm. Whenever a victim was hovering his cursor on an infected tweet (the message being embedded in a solid block of black to hide the viral code), the message was immediately “retweeted”: in other words it was automatically relayed to all the victim’s followers. Holm reported later that his worm, which was strictly harmless if we forget the spreading effect, had infected more than 200.000 Twitter pages.
Fortunately in this incident, the Twitter development team was very reactive and the platform didn’t remain vulnerable for more than a couple of hours. During this small period of time, no computer infection with real malware was reported. Magnus Holm (one of the hackers who exploited the flaw) nevertheless reported that he observed tweets leading to the download of spyware hosted in Russia, which means that when Twitter fixed the flaw, the worms launched by “amateur hackers” were about to be replaced with gangs of professional cybercriminals.
The propagation of this worm on Twitter in September is very instructive. It shows in particular that a web platform, even if it is very popular, can still be subject to serious security vulnerabilities. Concerning the September incident, we can observe that a flaw as obvious as a "cross-site scripting" in tweets, had not been detected during the website development cycle. Worse, it had first been fixed, and resurfaced later after an update of the platform. We could even insist on this fact saying that this is not the first time that Twitter is exposed to similar XSS vulnerabilities (let’s mention for example these series of worms sent on Twitter by Mikeyy Mooney, a new York hacker, in April 2009).
To conclude globally, social networks such as Twitter or Facebook are not only a threat for data confidentiality (users may, voluntarily or not, disclose information regarding their work environment), but they are also a potential entry point for malwares that exploit the weakness of the platform to spread. Social networking website are becoming increasingly complex, interactive and dynamic, which understandably implies a more and more complex code to handle these sites (e.g. the systematic use of the AJAX and HTML 5 technologies to facilitate the exchange of information between the web browser and the server). A complex code is necessarily much more difficult to audit and protect, and we are therefore convinced that the security holes exploited on social networks still have good times ahead.
For more information:
- All about the "onMouseOver" incident (Twitter blog)
- The names and faces behind the ‘onMouseOver’ Twitter worm attack (Sophos)
- Twitter ‘onMouseOver’ security flaw widely exploited (Sophos)
- Twitter onMouseOver Spam (F-Secure)
- Worms Loose on Twitter.com (F-Secure)