Our client, Dermot Williams, Managing Director of Threatscape, provides expert advice and outlines the ins and outs today’s Twitter security breach.

What is XSS (Cross Site Scripting)?
When most modern web browsers are processing the data received from web sites to determine what to display on a user’s screen, they look for and process not only the text, graphics and formatting etc. contained in the HTML (hyper- text markup language) used to describe web pages, but also look for and act upon any commands written in the ‘Javascript’ computer programming language which allows web designers to embed small programs in their web sites. Javascript is the basis for much of the enhanced interactivity and improved user experience delivered by modern web sites – for which Javascript performs ‘client side’ tasks within the web browser such as validating user input, retrieving data without requiring a complete web page reload, or manipulating portions of the screen to make the user interface less static and more ‘application like’.

One of the most common ways in which attackers try to compromise web applications is through what are known as ‘cross site scripting’ attacks – commonly abbreviated to the rather more pronounceable acronym of ‘XSS’.   While the term is applied to a number of different types of attack, one of the most common can occur when a web site accepts data from a user, stores it and then displays it to other users – without adequately sanitising its content.   If a malicious user is permitted to submit data with Javascript programming instructions embedded within it (to a blog post, discussion board discussion, guest book entry, etc.) , and the web site later sends the same data back to other web site visitors – what is known as a ‘persistent XSS vulnerability’ ensues.

How can you be affected by XSS?
Unsuspecting users visiting a vulnerable web site – quite possibly one which they know and trust –may unknowingly access web pages with unexpected, unwanted but largely invisible Javascript code embedded in them.  Depending on the nature of the web site and just where on the pages you view an attacker was able to insert their code, the Javascript may be triggered automatically when a page loads, or may require an action by the viewer such as clicking on a web link (the purpose of which will doubtless be disguised) or moving their mouse over part of the screen.

So what might happen is an attacker is successful in getting their code transmitted to and executed by visitors to a vulnerable web site? While Javascript was designed with certain built in safeguards – such as limiting its access to local files or to data on separate web sites – there are many ways in which attackers can still cause considerable mischief – or worse.  A common one is to redirect visitors to unwanted third party web sites – which could potentially attempt to install further malicious software on their computers. Or unwanted ‘spam’ adverts may pop up.  And other forms of XSS attack may attempt to steal a user’s login credentials – bad for social networking sites, terrible for email accounts (which may then be used for spam and identify theft fraud), and worse still for online banking.

On social networking web sites, one particularly fast moving type of XSS ‘worm’ attack occurs when an attacker is able to post a message which includes Javascript code which when executed unwittingly by other users will cause them in turn to post messages containing the malicious Javascript code.

And is this what happened today with Twitter?
Yes, it appears that Twitter’s own web site was not fully preventing malicious users from embedding Javascript commands in their ‘tweets’.  Someone figured out that they could embed into a tweet a piece of Javascript code tied to a ‘mouseover’ event which would trigger when the user moves their mouse over a portion of the screen (or in some of the attacks, any part of it).  Someone reading one of these malicious tweets may unknowingly cause a similar tweet to be posted to their own twitter account –spreading the worm further.

In the space of just a few hours, numerous attackers have started exploiting the same weakness in Twitter’s security, and multiple ‘worms’ are spreading virally – tweet by tweet. Some seem to do nothing but spread; others have additional actions such as redirecting visitors to porn web site. Thousands of users, and hundreds of thousands of ‘tweets’, are already believed to be affected.

And what should people do to protect themselves?
In general when accessing the internet, consider only selectively enabling Javascript – the free NoScript add-on for the Mozilla Firefox browser is a particularly effective way of doing this.