Twitter and the XSS zombie
In August, Twitter developer Ben Cherry changed the code of a Twitter library with the comment "closed XSS after the @". Yesterday this vulnerability reappeared on the Twitter servers and there was an avalanche of tweets exploiting this security hole.
The publicly viewable documentation of the August 24th code change in the open source code of twitter-text-rb even included a demo link that looks a lot like the one in circulation yesterday. The problem was that a URL crafted as http://x.xx/@ could confuse the parser, allowing JavaScript to be injected, stored with the tweet, and embedded in the Twitter user's browser on the site. An event, such as a mouseover (onmouseover), could then be used to activate the code.
According to Twitter, the problem was actually remedied last month, but a recent update of the site "unknowingly resurfaced it". When the first demo tweets went into circulation yesterday, it appeared that script code could again be injected. Less than an hour after the first few harmless demos began displaying JavaScript messages, variations popped up that propagated themselves as “retweets” or downloaded additional JavaScript code from external sites; it is still not clear what operations some of the variants performed. Shortly after the avalanche, Twitter put the fix back in place to remedy the problem and there appears to be no risk at the moment.
Twitter did not explain, however, how such a grave security flaw that had already been fixed could re-occur, nor did they say how they plan to prevent such things from happening again.
(trk)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
