First let us be clear with the terminology. XSS stands for Cross Site Scripting (It is not called CSS because CSS already refers to Cascading Style Sheets). XSS is a way of injecting malicious code into a web page so that the users are troubled, user data is stolen, etc. If you don’t understand what that means, read along, you’ll understand it by the end of this article.
Now to better understand how XSS attacks are performed, lets call our friends Alice, Bob and Oscar for help. So the following sequence of steps explain how an XSS attack is performed:
- Bob hosts a website (in this case www.twitter.com) where users are allowed to make posts
- Alice and Oscar are users of Bob's website and Alice can view updates posted by Oscar (in twitter lingo, Alice is following Oscar)
- Oscar spots the XSS vulnerability in Bob's website and decides to exploit it. So he makes a post that exploits the vulnerability (in our case redirect the user to some illegal website when he moves the mouse over the post)
- Alice eagerly opens Bob's website and is redirected to a totally unexpected website as she accidentally moved the mouse over Oscar's post (to be worse, while her mom is watching from behind ;-))
- There is also a possibility that Oscar can exploit the vulnerability and steal Alice's session information (cookies) and impersonate Alice
- Thus, Alice is screwed (as always) !!
It is really bad that a website in the scale of twitter had such a vulnerability. But after all, no product is perfect. An official blog post from twitter said that this bug was created as a result of fixing some other issue. I personally feel that a company like twitter cannot afford to give such a lame excuse for it could have caused many celebrities profiles to have posted spam tweets and much more damage. Nevertheless, sites like twitter, facebook, etc. are the primary target for attackers these days and hence security precautions always has to be the number one priority.
Read more about this on twitter's official blog here.