This is not the first time that Twitter has fallen victim to a worm. Last year, a seventeen year old boy released a worm on the site. This time, a Japanese hacker discovered the problem. He attempted to contact Twitter for several days regarding the issue, but ended up deciding to test the problem with a worm code. The worm was then copied by many others. Representatives from Twitter report that the majority of the worms fell under prank or promotional categories, and there is no reason to believe that the problem could cause damage to users accounts or computers. They claim that there is no need to change passwords because account information was not compromised in the attack.
The cause of this event is two-fold. First, the worm was able to get through because there existed a basic Web programming error that allowed users to add JavaScript to their tweets. The problem could have been avoided if the corporation had noticed the problem itself, or listened to the Japanese hacker when he discovered the problem. The second cause was that a recent site update uncovered the previously discovered and fixed problem. The issue had been public knowledge since August 23 and had been fixed. However, the update uncovered the issue once more. Had Twitter looked into the update and what was happening they could have side-stepped the problems. Monitoring of the website could also have discovered the issue, as the Japanese hacker did.
Because of the lack of confidentiality, integrity, or availability breaches related to the worm, there is no action that Twitter users need to take in order to respond to the bug. However, if they are worried about future issues related to the site, they may want to contact Twitter directly or cancel their subscription to the site. The corporation, on the other hand, needs to respond by solving the problems that were listed above. This attack may not have compromised any sensitive data but a future attack may. By solving the problems of users having the ability to add JavaScript to tweets and issues from the update going unnoticed, Twitter can avoid future security breaches of this nature.
Posts
This is definitely a unique situation. I never thought that a worm could be spread on a computer by simply "hovering over a written link". From what I read about the attack, it seems as though the spread of the worm is mainly due to the lack of care by the Twitter administration. You said that the worm was able to penetrate the system because of a basic Web programming error. This is a basic mistake that should have been fixed by the staff. Twitter also ignored a user's knowledge of the problem. They failed to respond to his recommendations, which led to the spread of the worm. These incidents do show a lack of concern by the Twitter staff. Luckily, the worm was not able to recover any personal information. If the 100,000 who were affected by this worm had their personal information stolen, it would be a much more serious problem. However, I agree that the users should not take this attack lightly and might want to consider canceling their membership to the site.
ReplyDeleteWhen I was reading about this Twitter incident online, I was surprised to learn that it was due to a bug in third party code, which is code that an organization uses which they themselves did not develop. Instead it is obtained from code libraries or other outside sources. According to the article I posted below, it was third party code that enabled the “onmouseover” JavaScript function to be incorporated into Twitter updates.
ReplyDeleteThe article below states that while third party code is used very often by companies (for anywhere between 30-70% of applications), it is very risky, and is not secure 81% of the time. So even though using third party code might be quicker and easier, the problems that it can cause can sometimes outweigh its benefits. For this reason the article advises companies to be hesitant about using third party code. I think that this Twitter incident just goes to show how you should not always trust outside sources. Twitter should be more careful with the code they use to build their site and should test it, if possible, to uncover any possible security vulnerabilities.
http://www.computerworld.com/s/article/9187218/Third_party_code_makes_apps_vulnerable_say_security_experts_?taxonomyId=17
It certainly does seem to be a security flaw to allow Javascript to be embedded in Twitter updates - although I wonder how much code could actually be embedded given the length restrictions on Twitter.
ReplyDeleteThis exploit also reminds me of the recent Facebook privacy issue where users figured out the URL variables in the "Preview My Profile As Seen By [Friend]" feature, allowing them to see the profiles of their friends' friends. While this was a slightly different issue in that it ultimately still used Facebook's own code, with modified inputs, it is similar to the Twitter incident because it did not account for the users' ability to modify the site's features and compromised the integrity of the system's inputs.
Finally, I wonder what the degree of security risk in this particular Twitter exploit was. Javascript is for the most part sandboxed and is rarely granted system access, so - without first-hand experience of the exploit or further information - it seems that it was more a minor annoyance than anything else (although it could have been used to trigger an automatic download of a more dangerous worm or virus).
I'm glad that KMCKIERN was able to dig up a current event about this. In addition to my concerns about Facebook (as noted above by kli1), I was curious how vulnerable Twitter was to security breaches, since it is such a prominent social networking tool. The thing that shocked me the most was that the Twitter users only had to hover over a specially written link in a Twitter message. I had no idea this was possible, but in the ever-evolving world of computer technology, I suppose nothing should. And as cmill2013 pointed out above, it is easy to see how a third party code can enable the "onmouseover" JavaScript command to be utilized.
ReplyDeleteOverall, this seemed like a pretty minor security breach, but that's not to say it could not be a precursor to more serious issues faced by Twitter in the future. There are hundreds, perhaps thousands of people who get themselves in enough trouble already by being nonchalant with social media. In the case of Facebook, people are getting in trouble with employers over the statuses, people's houses are getting broken into whenever their status indicates their locations, and the list goes on. In the case of Twitter, athletes are getting suspended for saying dumb things (see Marcus Jordan, Chad Ochocinco, Terrell Owens, etc...), in addition to the other problems shared with Facebook. Although this worm did not compromise any further private information, that is not to say a new and more sophisticated one couldn't. As Twitter continues to grow, it would be prudent for them to monitor more closely what's going on as well as where the loopholes exist (see the JavaScript issue). After all, we wouldn't want Samantha Cameron, the wife of the new British Prime Minister David Cameron, to get the wrong idea about Twitter.
Similar to previous posters, I am most surprised by the ability of the worm to spread without even clicking on the link. I had never heard of a bug that was capable of spreading simply by having a mouse hover over the text containing the bug. In this particular case, the cross-site scripting (XSS) bug was relatively harmlessly taking advantage of the obvious security lapse. The worst outcome of this bug would bring up a porn site onto you computer. Although this is rather malicious, this was not a serious security threat to the users as much as it was just an annoyance. However, it is not this particular bug that I find to be alarming, rather the potential that tweets have to spread bugs. Just as malware often present itself as a link in an unwanted email, it is possible to include similar links in tweets. Thankfully the problem with ability to include Javascript in tweets has been fixed, but this does not prevent the presence malicious links on twitter completely.
ReplyDeleteThe people whose security is most threatened by the potential of malicious tweet links are the uninformed and unaware. As I am beginning to understand through this class, the biggest part of information security is simply the awareness of potential threats. Just as we have seen in previous cases, it is best to be cautious of sources that if you are not absolutely confident in their credibility. Therefore, as twitter user, it is best to be wary of links in tweets. I am confident that Twitter will do its part to protect its users as best as possible, but this still leaves plenty of room for security breaches to occur due to users' lack of awareness and necessary caution. As social media progressively becomes more popular it also becomes a larger target for hackers. Websites like Twitter.com provide a great social network medium, but unfortunately, they can also provide opportunities for hackers to reach the unsuspecting public.
Although it seems pretty clear that this security breach was relatively minor, I am most concerned with the nature of the breach. Again, as numerous other posts mentioned, I was completely unaware that it was possible to hover your cursor over a certain link to activate a bug. This raises the question of whats next. Can a bug be so advanced that it can be activated merely by opening a webpage such as twitter or facebook, or even just clicking on your profile once logged into those or any other sites for that matter? It seems as though the security measures taken by twitter were not very effective and that twitter did not seem overly concerned with the issue. It makes me nervous that a site such as twitter that involves so much personal information could take their security so lightly due to the importance of that information remaining secure.
ReplyDeleteLuckily I do not have a twitter account so I do not have to worry about any future worms gaining access to my personal information. From the reading I understand this case was minor, but as stated before in previous comments, this minor case could have been prevented if the people at Twitter would have acknowledged the message sent by the Japanese hacker or viewed the problem that occurred with the update. With so many users now using Twitter, and the fact that Twitter has grown significantly over the past years, it may be difficult at times to secure and protect users from every potential harm or threat. However, if Twitter manages to take the time to decrease these minor problems, by doing weekly security updates of the site or having someone constantly check to make sure the web programming for the site is correct, then I feel the many users already using the site will not have to worry about any of their personal information ending up in the wrong hands.
ReplyDelete