Twitter users subjected to worms

Certain twitter users, by which it seems the vast majority have found they were vulnerable to a Cross-Site-Scripting XSS vulnerability in the twitter software. It allowed the site to generate a self replicating worm that spread very rapidly across many users at the peak of it around 100 replications a second were being generated.

The result varied from harmless messages to more dubious redirects. The most amusing of these would perhaps have been former prime minister’s wife Sarah Brown’s twitter account redirecting people to pornographic accounts.  She has around 1.1 million followers. I would not be in the slightest surprise should 1.05 million of those actually took up the vulnerability spreading it further whilst visiting the Japanese Porn sites. I am sure we really don’t want to know what she ended up linking to! She updated her feed shortly afterwords to say sorry, I wonder if she took the opportunity to have a nosey herself.

This kind of security breach is relatively straight foward to resolve and given the size and popularity of Twitter, it is a surprise that no one ever considered the security aspects of user input! In the security world, users should never be trusted, they are out to get you!

The most interesting thing about these kinds of problems is they are relatively straightforward to deal with by assuming from the outset of the project by simply presuming that your users will go out of their way to destroy your system. Its true, users sooner or later will find ways to break the system either deliberately and maliciously or through sheer accidental foolishness. As a developer you need to think about these problems. Think about encoding raw input should you not need to do any processing on it that’ll easily prevent a sql injection. Or verify before inserting that it is in an expected format like a date should have 3 parts to it separated by a separator such as “/” so if you get 3 “/” and 4 sets of numbers then it cant possibly be a valid date now can it?

References
The Independant
xkcd

Leave a comment

Your email address will not be published. Required fields are marked *