Earlier this morning, an Australian teenager discovered a new cross-site scripting vulnerability on twitter.com. Just a couple of hours later, hackers used the same flaw to launch a massive XSS worm attack against Twitter users.
zzap appears to have discovered the vulnerability shortly after seeing RainbowTwtr’s colourful use of CSS injection to display the colours of the rainbow.
Using a similar technique, zzap was able to inject an
zzap later demonstrated that it was possible to steal cookies from Twitter users, by displaying the contents in another pop-up message. This could be mitigated to some extent if Twitter used the HttpOnly attribute for their cookies — this would prevent injected scripts from being able to directly access the
Although the XSS exploits demonstrated by zzap were mostly harmless, some users were nonetheless baffled by the unexpected behaviour and concluded that Twitter had been hacked:
zzap told another Twitter user that the flaw could be used to steal account information, while one of his other examples made the obvious point:
Searching Twitter for “onmouseover” shows many of the different attack vectors currently being exploited and propagated:
The vulnerability is still present right now, but John Adams at Twitter Security responded to Netcraft within just a few minutes to say they are looking into it.