Researchers Make Wormy Twitter AttackMarch 20, 2009 – 5:53 PM
Computer security researchers have devised a new Twitter attack that they say could spread virally, much like a worm on the microblogging service.
The attack, posted online Thursday by researchers at Secure Science is an innocuous proof of concept that forces users to send out a predetermined twitter message, but it could be repurposed into a very nasty worm, said Lance James, chief scientist with Secure Science.
“You can couple an attack with our code and it would just tear the crap out of Twitter,” he said.
The hack is similar to a clickjacking attack that was making the rounds on Twitter last month. There, hackers used a sneaky technique to trick users into clicking on a link without realizing it. That link would post the Twitter message saying “don’t click” along with a URL.
This time around, Secure Science’s researchers found a way to take advantage of a Web programming error on Twitter’s support site to post the unwanted message. After a warning message, Secure Science’s test code posts the message: “@XSSExploits I just got owned!” to the victim’s profile.
A malicious user could do much worse with this bug, however, James said. The attack could be modified so that there was no warning screen, and it could be beefed up with a sensational message that users would be more likely to click. If it were combined with malicious browser attack code, it could be used to take control of victims’ machines, James said.