It’s no surprise it’s being targeted though as it’s now the 3rd biggest social network after Facebook and Myspace.
Twitter was hit over the weekend by powerful, self-replicating attacks that caused people to flood the micro-blogging site with tens of thousands of messages simply by viewing booby trapped user profiles.
It’s not the first time Twitter has been hit and it’s not the first time they have been criticized for not being fast enough or for dealing with the problem properly.
The issue itself is quite a serious one and shouldn’t have existed in the first place, who knows how long this flaw has been known about and what nefarious purposes other people have been using it for.
The fella that exploited it basically did it to promote his own Twitter knock off called StalkDaily which is currently down.
As is frequently the case with XSS-based attacks, the worm was unable to prey on those using the NoScript add-on for the Firefox browser.
Twitter’s security team was able to block the attack for a while, but a new assault that made use of “mildly obfuscated” code soon defeated the countermeasure, raising the possibility that it was based on the detection of attack signatures rather than fixing the underlying bug that allowed the XSS vulnerability in the first place.
“The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error?” Italian researcher and NoScript creator Giorgio Maone wrote here. “This would be ridiculous, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that).”
It’s not the first time Twitter has been slow to react to vulnerabilities on its site that allow self-replicating attacks against its users. The San Francisco-based company took more than 24 hours to close a separate hole discovered by white-hat hackers last month, while many of the company’s employees attended the South by South West conference in Austin, Texas.
The scary part is, Twitter didn’t fix the root cause of the problem – it appears they just filtered out the malicious code. So by altering it slightly the author quickly unleashed another version of the worm.
I hope Twitter get’s their act together and starts fixing things properly.
Source: The Register
- OpenVAS 7 Released – Open Source Vulnerability Scanner
- Google Leaves Android Users Vulnerable To WebView Exploit
- pwntools – CTF Framework & Exploit Development Library
- Twitter DM Phishing Scam
- Using Twitter for Data Mining and Information Gathering
- Phishing Attacks Hits Twitter Users – Utilising Direct Messages
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 228,920 views
- AJAX: Is your application secure enough? - 119,314 views
- eEye Launches 0-Day Exploit Tracker - 85,158 views