Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    As I write this, there are some rather unusual trending topics on Twitter, including:

    • XSS
    • OnMouseOver
    • MouseOver
    • Exploit
    • Security Flaw

    Searching for any of the said topics in Twitter should make what is going on immediately obvious. Essentially, there is a flaw in Twitter that allows the injection of JavaScript code into a Tweet. How does it work?

    When you include a URL in your Tweet, Twitter automatically recognizes this. Then when it displays that Tweet via the browser, it wraps that URL as follows:

    <a href=”YOUR_LINK” class=”tweet-url” rel=”nofollow” target=”_blank”>YOUR_LINK</a>

    The problem is, Twitter does not sanitize the URL. In particular, it does not check for the presence of quotes, which allows a user to post a link like:

    http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!’)//

    Twitter recognizes this is a URL and happily wraps it in a link. The problem is, the exclamation mark in the URL will cause the onmouseover bit to be added to the link tag () as an attribute, thus enabling a potential attack.

    <a href=”http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!)//” class=”tweet-url web” rel=”nofollow” target=”_blank”>http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!)//</a>

    The onmouseover attribute defines a script that will be run when users move their  mouse cursor over the link, normally a JavaScript code. Using this bug, Twitter users can easily inject JavaScript code into their Tweets (and by my count, over 50,000 users have done so in the last 5 minutes). In my simple example, a pop-up window with the words “Sanitize your Input!” will appear.

    Of course, there are other nefarious uses for this and it has not taken long for JavaScript-savvy Twitter users to figure these out. This URL will cause the viewing user to actually Tweet a message just by moving his/her mouse over the dangerous link.

    http://a.bc/@”onmouseover=”document.getElementById(‘status’).value=’RT YourTwitterId';$(‘.status-update-form’).submit();”class=”modal-overlay”/

    All of that is fairly harmless but expect nastier codes to follow soon.

    In the meantime, Twitter users may:

    • Use a third-party application to view Twitter until this is fixed, as this bug is only browser based.
    • If you do want to use your browser, install the NoScript extension for Firefox to avoid the JavaScript from running.

    Update: Twitter reports that they have fixed the vulnerability in the last few minutes

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Pingback: Twitter’da güvenlik açığı.()

    • Hugo García

      Hi, and Trend Micro block this activity of the Rainbown?

      I mean, the "Drive by Download"?


      • Jonathan Leopando (Technical Communications)

        Hi Hugo,

        We have received no reports of malware that was able to directly leverage this attack. Certain sites that were accessed in this series of script injections may already have been previously blocked as malicious.

    • Pingback: Twitter afectado por vulnerabilidad »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice