Why Twitter was compromised, and how it ended so soon

Yesterday, the Twitter-sphere was engorged with spam tweets produced by a significant security hole in cross-scripting capability that threw the service into total disarray. People were warned repeatedly to stay off the service’s main page, to only use third-party Twitter apps, and to generally sit tight until the storm blew over. The attack spread like wildfire in a California summer, affecting tens of thousands of users in just minutes. Several hours later, Twitter managed to patch the vulnerability, and no lasting damage was done. A close analysis of the events shows a surprising, yet sensible result. ComputerWorld reports that according to Sean Sullivan, of the Finnish Security company F-Secure, there is a distinct parallel between the rate of attack and the alacrity of the website to patch it. Generally, he says, the faster and more widespread the effects, the faster it gets fixed "Social networks have built-in antibodies...their users. Compare the Twitter attack to a malicious attack of yesteryear that took weeks or even months to develop. This peaked and ebbed in two and a half hours."

The nature of social networking sites like Twitter is what gives these exploits the ability to proliferate so quickly, but is also why malicious hackers don’t really use those avenues of attack. The users of a social network are always aware when something seems amiss, and when something like this hits the servers, the feedback is huge and almost instantaneous. On the other hand, building a botnet of hundreds of thousands of client PCs to take down a large corporate website takes a lot of time, is generally unseen by the users of the controlled PCs, and every attempt is made by the perpetrator to make the infection as stealthy as possible.

Sullivan separates the work of hobbyist spammers and professional hackers to explain the difference. Spammers, if they are even after money in the first place, will be drawn to these kinds of attacks because, while they may be short lived, a good scam is all about one good window of opportunity among thousands of dead ends. The target isn’t clear, the intent may not even be malicious, and it can bring you fame and honor in that subculture. Hackers, on the other hand, have a much more specific target, with detailed goals and attack plans. Stealing profitable personal information requires precision, and most of all, stealth. A social network attack is extremely visible, something the professional cyber-criminal wants to stay far away from.

Sullivan’s solution for stemming the inevitable new tide of Twitter spammers is a simple one: bounties. In a situation where the attack is extremely visible and widespread, there will many users willing to heed the call of the mercenary and ride to the rescue. It would also convert hobbyist spammers to the good guys’ team.  "These people with hobbyist mentalities want to be promoted, and recognition from Twitter might be one way to go."

Image Credit: Matt Hamm (Flickr)

Report a problem with article
Previous Story

All UK mobile operators planning to offer Windows Phone 7 devices at launch

Next Story

Netflix launches in Canada, $7.99 a month for unlimited streaming

19 Comments

Commenting is disabled on this article.

emzino said,
What's injection prevention?

For sites like Twitter, they need to prevent users from being able to submit content(a post) that another users browser or the server itself will interrupt as "code".

Eg. Instead of just posting "Hey that concert was awesome", they post text that browsers or servers see as code to run instead of text to show or commands that the server thinks it must run.

Typically the "code" in most computer languages require characters like < > " ' and a few other things that the computers see as special and handle not as plain text but as something to actively run.

To prevent users putting working code into the system, aka injection, the server swaps all the special characters that might confuse/trick the server and browsers over to things that are visually be the same but actually arent.

If you look at the page source for this very page, you will see the Neowin server swapped my < > ' " to &lt &gt &quot &#039 for the purpose of injection prevention.

JonathanMarston said,
You got my hopes up. If only Twitter really had "ended so soon"

+1 ... I've had the same thought as well!

spacer said,
God, what a pointless website.
It's obviously not pointless,. The pointlessness comes from *users* posting pointless messages. Just don't read them.

It's true that it was a bit of an oversight by Twitter, however as the article stated, the speed with which the issue was resolved is really quite amazing.
I've never seen Microsoft turn a 0 day vulnerability as quick as this.

badblood said,
I've never seen Microsoft turn a 0 day vulnerability as quick as this.
To be fair, a server-side exploit on a web app is a lot quicker and easier to fix than a client-side exploit, especially when the client-side patch could have adverse affects on certain hardware and software.

It's an absolute embarrassment for Twitter.. it couldn't be worse really.. caught with their pants down! They have only ONE source of user data input and they somehow make the biggest rookie mistake in the book to overlook injection prevention.

"OPPS".

They're for the birds, if you'll excuse the pun

highonsnow said,
It's an absolute embarrassment for Twitter.. it couldn't be worse really.. caught with their pants down! They have only ONE source of user data input and they somehow make the biggest rookie mistake in the book to overlook injection prevention.

"OPPS".

They're for the birds, if you'll excuse the pun

You mean it's for twits. It's amazing how media never says 'twit' when they refer to twitter. That's marketing at its best.

This whole thing could've been avoided with some proper string sanitization in the JavaScript. I'm actually surprised this had never happened before.

Elliott said,
This whole thing could've been avoided with some proper string sanitization in the JavaScript. I'm actually surprised this had never happened before.

From what i hear that's a pretty basic practice. Red faces all round at TwitterHQ

Elliott said,
This whole thing could've been avoided with some proper string sanitization in the JavaScript. I'm actually surprised this had never happened before.

Apparently they fixed the bug a while ago but apparently the migration to NewTwitter regressed and re-exposed the vulnerability.

Uplift said,

From what i hear that's a pretty basic practice. Red faces all round at TwitterHQ

A simple and quick string replace on " and ' for &quot; and &#039; and other HTML entities and you'd have stopped that; shouldn't they have a test suite to catch these issues?