Twitter Mouseover Flaw Allows Script Injection | Malware Blog

May 2013
S	M	T	W	T	F	S
« Apr
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Sep21

Twitter Mouseover Flaw Allows Script Injection

7:29 am (UTC-7) | by Robert McArdle (Senior Threat Researcher)

As I write this, there are some rather unusual trending topics on Twitter, including:

XSS
OnMouseOver
MouseOver
Exploit
Security Flaw

Searching for any of the said topics in Twitter should make what is going on immediately obvious. Essentially, there is a flaw in Twitter that allows the injection of JavaScript code into a Tweet. How does it work?

When you include a URL in your Tweet, Twitter automatically recognizes this. Then when it displays that Tweet via the browser, it wraps that URL as follows:

<a href=”YOUR_LINK” class=”tweet-url” rel=”nofollow” target=”_blank”>YOUR_LINK</a>

The problem is, Twitter does not sanitize the URL. In particular, it does not check for the presence of quotes, which allows a user to post a link like:

http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!’)//

Twitter recognizes this is a URL and happily wraps it in a link. The problem is, the exclamation mark in the URL will cause the onmouseover bit to be added to the link tag () as an attribute, thus enabling a potential attack.

<a href=”http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!)//” class=”tweet-url web” rel=”nofollow” target=”_blank”>http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!)//</a>

The onmouseover attribute defines a script that will be run when users move their mouse cursor over the link, normally a JavaScript code. Using this bug, Twitter users can easily inject JavaScript code into their Tweets (and by my count, over 50,000 users have done so in the last 5 minutes). In my simple example, a pop-up window with the words “Sanitize your Input!” will appear.

Of course, there are other nefarious uses for this and it has not taken long for JavaScript-savvy Twitter users to figure these out. This URL will cause the viewing user to actually Tweet a message just by moving his/her mouse over the dangerous link.

http://a.bc/@”onmouseover=”document.getElementById(‘status’).value=’RT YourTwitterId’;$(‘.status-update-form’).submit();”class=”modal-overlay”/

All of that is fairly harmless but expect nastier codes to follow soon.

In the meantime, Twitter users may:

Use a third-party application to view Twitter until this is fixed, as this bug is only browser based.
If you do want to use your browser, install the NoScript extension for Firefox to avoid the JavaScript from running.

Update: Twitter reports that they have fixed the vulnerability in the last few minutes

Share this article

This entry was posted on Tuesday, September 21st, 2010 at 7:29 am and is filed under Bad Sites . Both comments and pings are currently closed.

Pingback: Twitter’da güvenlik açığı.
http://www.novasistemas.com.mx Hugo García

Hi, and Trend Micro block this activity of the Rainbown?

I mean, the "Drive by Download"?

Tnks!
- Jonathan Leopando (Technical Communications)
  
  Hi Hugo,
  
  We have received no reports of malware that was able to directly leverage this attack. Certain sites that were accessed in this series of script injections may already have been previously blocked as malicious.
Pingback: Twitter afectado por vulnerabilidad » blog.trendmicro.es

TrendLabs Malware Blog

Trend Micro

Targeted Attacks

Mobile

Recent Posts

Calendar