When did it happen?
On September 2010, Twitter.com was hit by an XSS attack that exploited the Web 2.0 vulnerabilities of the social media platform. While this not very recent, it makes for an interesting case study as it was one of the first times a major website had been subjected to a cross-site scripting attack. (“Twitter Attack An XSS Wake-Up Call”)
What happened?
On September 21, 2010, hackers exploited an XSS vulnerability in Twitter and waged at attack. The initial XSS attack on Twitter morning began before 6 a.m. Eastern Time on September 21, 2010, with users submitting JavaScript code as plain text into a tweet that then was executed in victims’ browsers.
Twitter blog post from that day, by an employee with the handle @bobloard, says that “a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an ‘onMouseOver’ flaw — the exploit occurred when someone moused over a link.” (“All about the “onMouseOver” incident.”)
The initial attack sent pop-ups and, in some cases, a “rainbow Twitter” post, and then redirected users to Japanese pornographic sites. Among the affected accounts was that of (the then) White House press secretary Robert Gibbs.
Why did it happen?
What is noteworthy in the case of Twitter is that this flaw had been discovered and patch a month prior to the attack, but a newly released “patch” reopened it. This is a serious case of upgrades introducing more problems than solving them, and unfortunately, is common in the software development world.
One way to prevent this is through “regression testing” – where every new patch is run through a battery of all old test cases and a library of prior fixes – to ensure nothing that was already fixed in broken again.
Why are XSS attacks prevalent?
Barnet, a security researcher at SpiderLabs, says that many developers have a lack of knowledge about XSS. (“Twitter Attack An XSS Wake-Up Call”)
Also, XSS is especially a risk to Web 2.0 applications such as Twitter because they often interface with widgets and other third-parties.
It’s not easy to accurately track user-supplied data and identify where it’s being used securely
Remarks
While this attack on Twitter did not cause confidentiality or availability issues it did tamper with the integrity of the data on the website and caused Twitter to go red-faced with the exposure of their security lapses. Most developers consider the XSS to be benign and often fail to consider it while coding, and this incident would serve as a wake-up call to the prevalence of cross-site scripting bugs.
Higgins, K. J. (2010, September 21). Twitter Attack An XSS Wake-Up Call. Retrieved from http://www.darkreading.com/attacks-breaches/twitter-attack-an-xss-wake-up-call/d/d-id/1134397
Bobloard @ twitter.com. (2010, September 21). All about the “onMouseOver” incident. Retrieved from https://blog.twitter.com/official/en_us/a/2010/all-about-the-onmouseover-incident.html