Skip to Content

Twitter Vulnerabilities

Month of Twitter Bugs

The increasing popularity and usage of Twitter has made it a target of numerous attacks. July 2009 has been declared as the ‘Month of Twitter Bugs’ (MoTB) by security researcher Aviv Raff. The aim of this project is to expose serious vulnerabilities in the environment of the social networking site Twitter. The focus of the MoTB project is to identify and report ways in which Twitter’s website and its associated third-party applications could be exploited for distribution of malicious code/malware. It also aims to raise awareness of Twitter-related vulnerabilities that put users at risk. Aviv Raff will publicize bugs in widely used third-party Twitter services, such as Twitpic or TweetDeck but will not disclose vulnerabilities specific to Twitter during the ‘Month of Twitter Bugs’ on his website http://twitpwn.com/.

Statistics by Raff (July 16, 2009):
  • There were 35 vulnerabilities disclosed for 15 different Twitter 3rd-party services.
  • 12 of the 35 vulnerabilities were 0days (11 of them disclosed in the blog comments), which means there was no patch available at the time they were disclosed.
  • 7 of those 0day vulnerabilities are still unpatched! (http://www.twitpwn.com/)


Vulnerabilities

1. ‘bit.ly ‘service: allows one to send tweets with shortened URLs
• Reflected Cross-Site Scripting in the “url” query parameter. Patched
• Reflected Cross-Site Scripting in the keywords parameter. Patched
• Reflected POST Cross-Site Scripting in the username field of the login page. Patched
• Persistent Cross-Site Scripting in the content-type field of the URL info page. Patched

2. HootSuite: used to send tweets, direct messages and follow/unfollow other users from multiple Twitter accounts. It uses Username/Password authentication to utilize the Twitter API.
• Reflected Cross-Site (XSS) in the “add-account” page. Patched

3. TwitWall: used to send tweets and follow/unfollow other users. Uses OAuth authentication token to utilize the Twitter API (Application Programming Interface).
• Persistent Cross-Site (XSS) in TwitWall entry view page. Patched

4. BigTweet: used to send tweets from any web page by using a bookmarklet. Uses Username/Password authentication to utilize the Twitter API.
• Cross-Site Request Forgery in BigTweet ‘upate.json’. Patched

5. TwitSnaps (Note: dead link): Cross-Site vulnerabilities

6. TwitPic: used to send tweets by uploading new photos, sending them via email, or posting comments on existing photos. Uses Username/Password authentication to utilize the Twitter API.
• Cross-Site request forgery in the Email PIN settings pages. Patched
• Cross-Site Request Forgery in the comments form. Patched
• Persistent Cross-Site Scripting in the TwitPic profile page. Patched

7. yfrog: used to send tweets by uploading new photos, or posting comments on existing photos. Uses OAuth authentication method to utilize the Twitter API.
• Reflected Cross-Site Scripting in the Upload and Search pages. Patched

8. Twitterfall: used to send tweets, replies or follow other twitter users. Uses OAuth authentication method to utilize the Twitter API.
• DOM Based Cross-Site Scripting in the main page. Patched

9. Twellow: used to follow and unfollow other twitter users. Uses Username/Password authentication to utilize the Twitter API.
• Reflected POST Cross-Site Scripting in the Contact page. Patched
 
10. Twitiq: used to send tweets, direct messages and follow/unfollow other Twitter users. Uses Username/Password authentication to utilize the Twitter API.
• Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php. Patched

11. Twitturly: used to send tweets to other Twitter users. Uses Username/Password authentication to utilize the Twitter API.
• Persistent Cross-Site in Twitturly URLs view page. Patched

12. TweetGrid: used to send new tweets and reply to other Twitter users. Uses Username/Password authentication to utilize the Twitter API.
• Reflected Cross-Site in the Search page. Patched

13. Brightkite: used to send new tweets and reply to other Twitter users. Uses Username/Password authentication to utilize the Twitter API.
• Reflected Cross-Site in the "Person not found" page. Patched

14. TweetMeme: used to send new tweets and reply to other Twitter users. Uses OAuth authentication method to utilize the Twitter API.
• Reflected Cross-Site in the Search page. Patched

15. Slandr: used to send tweets, direct messages and follow/unfollow other Twitter users. Uses Username/Password authentication to utilize the Twitter API.
• Cross-Site Request Forgery in main update page. Patched
• Reflected POST Cross-Site in the Search page. Patched

16. HelloTxt: used to send tweets to other Twitter users. Uses Username/Password authentication to utilize the Twitter API.
• Persistent Cross-Site in HelloTxt profile page. Patched

17. Mobypicture: used to send tweets by uploading new photos, or posting comments on existing photos. Uses Username/Password authentication to utilize the Twitter API.
• Persistent Cross-Site in mobypicture picture view page. Patched

18. tr.im: used to send tweets with the shortened URLs through a form on their website. Uses OAuth authentication method to utilize the Twitter API.
• Persistent Cross-Site in tr.im Referrer statistics page. Unpatched

19. Talker: used to send tweets, direct messages and follow/unfollow other Twitter users. Uses OAuth authentication method to utilize the Twitter API.
• Cross-Site Request Forgery in the update forms. Patched
• Reflected POST Cross-Site in the Subject page. Patched
 
Updates available at: http://www.twitpwn.com/

[Back to top]


Attacks

  • Koobface virus infection: This malware sent fake ‘tweets’ when users log in.  According to Sunbelt Software's research office manager Tom Kelchner Koobface sends a ‘tweet’ with a link to a home video or a site infects users when they run the video. In addition, Koobface sends similar ‘tweets’ to friends of the users to infect them.(http://www.scmagazineus.com/Koobface-hits-Twitter/article/140029/)
     
  • Mikeyy or StalkDaily worm: Bogus/rogue anti-virus product links were sent to users, telling them that they have malware on their PC and that they would have to buy the product to remove it. A Google search for ‘Twitter worm’ conducted by F-Secure gave a malicious link in the top ten results, clicking on it redirect to ‘videxxxxxs.cn' which immediately redirect to 'loyxxxxxxno.com' which tricks users into downloading a fake video codec from ‘cxxxxxxxxaz.com'. According to Patrik Runald, chief security advisor at F-Secure the fake codec is malware, a Trojan downloader that downloads some additional malware, including a rogue security product called WinPC Defender, which shows fake malware detections. (http://www.securecomputing.net.au/News/142548,cybercriminals-begin-to-use-twitter-mikeyy-worm-to-spread-fake-antivirus.aspx)
     
  • Rogue security software: Users received tweets with a link to ‘juste.ru’ to watch a YouTube “Best Video." In reality a fraudulent PDF delivered through an IFRAME was running in the background containing exploits to infect un-patched versions of Adobe Reader. The website then displayed that the system was infected and offered a security software download.
     
  • Attachments: Users received tweets with the message 'your friend has invited you to Twitter’ and asked to open an attachment ‘InvitationCard.zip’. Opening the attached file infected users with a malicious worm that sends out mass e-mail messages.
     
  • Phishing scam: Users received fake Twitter email messages like, "hey! check out this funny blog about you...". Clicking on the provided link redirected to a spoofed site resembling Twitter’s. Here the users were asked to log in with their Twitter password. This information was used to send out direct messages on the users’ behalf to their followers. (http://www.technewsworld.com/story/exploits-vulnerabilities/65727.html?wlc=1247691951).
     
  • Hijacked accounts:A hacker was able to figure out the email and password of a Twitter user who was also the company’s employee and gained access to a number of confidential internal documents. This incidence did not impact any other Twitter member accounts.(http://www.scmagazineus.com/Intellectual-property-belonging-to-Twitter-exposed-in-hack/article/140157/)

[Back to top]


How to Safeguard Yourself from Vulnerabilities/Attacks

  • Do not click on URLs within tweets, especially those advertising a video
  • Do not open invitation attachments or any other unsolicited or suspicious email attachments
  • Look closely at the URL field before signing in to your account to ensure that it is the authentic Twitter Web site. Do not sign in if the URL is not www.twitter.com, even though the page  looks exactly like Twitter’s
  • For additional security, disable JavaScript in your browser (Firefox add-on ’noscript’ stops unwanted scripts)
  • If you think your account is compromised or you provided your password on the spoofed Web site, change your password.

The Multi-State information Sharing and Analysis Center (MS-ISAC) recommends taking the following actions to avoid becoming a victim of malware intrusion through social networking sites:

  • Organizations should determine if social networking sites are appropriate within their environment. If yes, the organization should develop a policy on the appropriate use of social networking sites.
  • Train users on the appropriate usage of social networking sites, including enabling the privacy features and disabling of "Auto-Feeds" that are not approved by your organization.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links, especially from un-trusted sources.
  • If you believe you have been affected by targeted attacks exploiting this vulnerability, please follow your organization's policies for incident reporting.
  • Ensure that all anti-virus software is up-to-date with the latest signatures.
  • Ensure that the most recent vendor patches are applied on all desktops, laptops, mobile devices and servers as soon as possible.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.

 

[Back to top]