Too easy: A common cross-site scripting technique tangles Twitter
A self-proclaimed 17-year-old whose identity hasn't been particularly confirmed -- so therefore, neither has his or her age -- has taken responsibility for deploying cross-site scripting code through Twitter. That code, embedded in its users' profiles and masked to look like ordinary hyperlinks, resulted in messages being 'tweeted' through those users without their knowledge. Those tweets, when their links were followed, resulted in the same code being injected into the followers' profiles.
It sounds sophisticated, especially when it's being explained by a novice TV news anchor. In fact, the concept itself is something that is easily Googled, and example code similar to that created by the fellow calling himself "mikeyy" is readily available.
One of the first complete descriptions of how the code worked was provided over the Easter/Passover weekend by an apparently rational adult: independent security researcher Damon Cortesi. As Cortesi points out, a commonly-used JavaScript function often called URLencode translates any string of characters into something that can be embedded in a URL without triggering an escape sequence. For years, malicious users have been able to leverage functions like this one to embed links to JavaScript files hosted by their own sites, in URLs that a Web server then blindly translates into hyperlinks.
That's apparently the trap Twitter fell into over the weekend. "What's happening here is that it looks like somebody realized they could save URL-encoded data to the profile URL field that would not be properly escaped when re-displayed," Cortesi wrote. "This is particularly nasty because you could get infected simply by viewing somebody's profile page on Twitter that was already infected."
In a mea culpa issued Sunday, Twitter's Biz Stone admitted that his engineers noticed malicious-looking transaction activity at 7:30 am Pacific time, traced back to 2:00 am. Stone likened the malicious code's profile to the notorious 2005 "Samy" cross-site scripting worm that plagued MySpace, although a check of that worm's code shows it may actually have been a little more sophisticated.
A check of the new Twitter worm's code, as posted over the weekend by an independent researcher, reveals that it essentially finds the username of a Twitter user by extracting it from the META code from the page -- a simple exercise in pattern matching. The cookie for that profile page is an element of its own Document Object Model, so paired with the username, the cookie name can be used to generate the location of the stored tweets for that user. They can then be replaced with not only a link to the malicious user's site, but a link to the graphic for that site which may replace the user's own picture in the tweet.
In a statement to the independent site BNOnews.com, "mikeyy" -- reminding everyone that he's 17 and has the bad grammar to prove it, said, "I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website."
There's no actual proof that "mikeyy" has "usually" done anything else of the sort, though his initial statement to the Web site appeared to be a response to a question about whether he was the perpetrator -- indicating that the site's editors at least had reason to ask such a question to start with.
11:38 am EDT April 13, 2009 - Apparently fulfilling the Twitter stunt's goal of bringing publicity to unknown sources, a fellow who looks more like 14 than 17, claiming to be "mikeyy," has granted this exclusive interview to another Web site. In an indication that he used his real name in the interview, one of the commenters for this story posted what appears to be "mikeyy's" real parents' names, address, and telephone number.