Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications.
James Lipton’s new public service announcements (PSA’s) on texting (text messaging) for teenagers gives the concept a whole new meaning. The campaign “Before you test, give it a ponder” features videos of Lipton loaning his trademark beard to teenagers so that its magical properties of forethought can be temporarily bestowed on them effectively uses humor to combat the problems of sexting and cyber-bullying.
Historically the “Is this you?” style Twitter attack seems to be seeded by either an original break in to the victim’s Twitter account, or that user having provided his or her credentials to a phishing style web site made to look like Twitter as the attack propagates through the popular micro-blogging service. This time around however, the account of security consultant and former cracker Kevin Mitnick was caught up in this generic, untargeted Twitter “worm”.
Around 9pm EST on Monday the Twitter account of pop singer Lady Gaga, @ladygaga was cracked in to and a series of messages added to her tweet stream. This is the second high profile Twitter account to be cracked in the last few days, on Friday the account of pop singer Britney Spears, @BritneySpears, started professing sympathy for the devil. The Lady Gaga one is interesting though, because like an homage to old school cracks of the past, the attackers appear to have left their name. Further these are two high profile accounts broken into after Twitter has implemented at least three major changes to their web site’s authentication process.
On Thursday morning, AVG researcher Roger Thompson, after sourcing some spyware attacks to a series of Facebook profiles, noted that these few hundred profiles were showing up with the same profile image (seen at left) but different profile information. The home video link on these profiles, belonging to Faith / Emily / whoever, points to the a web site that displays scareware dialogs.
But wait you say, are you trying to tell us that brute force password attacks will move to the API when I just read on the Twitter API wiki that the API severely limits the rate of calls you are allowed to make to it (200/hour/IP for authenticated requests without whitelisting)? That should be a mitigating control. Should be, but isn’t, because it is not enforced on all of the API calls.
At 2pm on Wednesday 9/24, wide scale reports started showing up on Twitter that a new Twitter worm sends you a direct message with the content “rofl this you on here? http://videos.twitter.secure-logins01.com”. The link opens a Twitter style log in page (albeit Twitter’s previous version of this page, they have a new one) which, except for being an old version and a stray angle bracket is convincing. Upon logging in the user’s credentials are stolen, and presumably direct messages are sent to each follower that user has.
