This article is mainly about the worm, not about the spam, but the mechanisms are similar.
Step1: The breach
Apparently, there is was (it’s fixed now) a bug in the twitter website when it came to transforming tweet text that looks like a link, to an actual link you can click on. This code has to identify text starting with “http://” like “
http://twitter.com” and transform it to an actual link, which, in HTML, looks something like:
The bug was that twitter didn’t recognize the end of a link properly. By inserting
@" at the end of a legit URL, an attacker was able to escape the href attribute and inject code into the HTML code the twitter engine made out of his URL. Once you’re able to inject code into a website, hell’s doors are open. To the browser, it looks like twitter put that code there. Boom!
So for example by putting the link:
in a tweet, an attacker woulld have made the twitter engine generate the following HTML:
<a href="http://foo.bar/@"alt="google.com"> ...
Which, in this harmless case, would have printed a link to foo.bar with a hover label of “google.com”.
Step 2: Loading evil code
However, to do evil things, an attacker would need more than 140 chars worth of code. Therefore, he needed to load additional evil code. Here’s how:
By using this function in combination with the onmouseover attribute, the attacker was able to load additional evil code from his own server. This code got immediately executed by the browser.
Step 3: Spreading the word
The key to success for any worm is spreading the word (a.k.a. sending itself to the max ppl it can).
Step 4: Do it with style
OK the basics are set up. Now let’s add some style. There are a couple of things the attacker can improve:
First of all, the user would still have to hover over the link for the hack to fire, since the attack relies on the execution of “onmouseover”. To maximize the chance the user hovers over the actual link, let’s just print the link in a HUGE font size, filling up all the browser so the attacker can be SURE the mouse will hover over it. Since we control the HTML displaying the link, we can just put the following in:
Finally, some mockery. Instead of using any insignificant URL, the attacker used t.co, which is twitter’s own controversially discussed URL shortening service they introduced claiming it would enhance security for twitter users, really stylish, isn’t it? 😀
Hope you’ve enjoyed reading how it’s done, and avoid Cross-Site-Scripting ppl! 🙂
[Update: Twitter put out an official statement about the issue which is, of course, a lot less technical than my analysis 😉 : http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html ]