Thursday, September 23, 2010

Twitter onMouseOver Saga - XSS and much more !!

There cannot be a better time for me to write about XSS as the famous twitter recently came across with an XSS vulnerability that was exploited by many all around the world by forcing users to redirect to some illegal site or post/retweet stuff without their consent, etc. What the hell was wrong with twitter ? Why did all this happen ? In this article, i have tried to answer these questions.

Twitter onMouseOver Saga - XSS and much more !!


First let us be clear with the terminology. XSS stands for Cross Site Scripting (It is not called CSS because CSS already refers to Cascading Style Sheets). XSS is a way of injecting malicious code into a web page so that the users are troubled, user data is stolen, etc. If you don’t understand what that means, read along, you’ll understand it by the end of this article.

Before going into XSS, let me give a brief introduction about what Client Side Scripting is. Client side scripting (I don’t want to abbreviate this as it will again end up as CSS!) is nothing but a piece of code that gets executed within your web browser. When you open a website, the website is rendered as HTML along with some Client Side Scripts. For example, you click on a piece of text and a pop up appears saying “hello world”, then it is a simple script that has been run within your browser. An example of a client side scripting is JavaScript.

JavaScript can do things like redirecting the user to another website, accessing personal data (in the form of cookies, etc.) and much more. Twitter gets data from the user (in the form of status updates) and displays them in your timeline. Since client side scripts are nothing but pieces of code embedded along with HTML, the displaying part of twitter has to be clever enough to distinguish scripts and escape them (a simple example of escaping is to replace > with &gt; and < with &lt; as that will avoid the browser from misinterpreting data posted by user as an HTML tag - another simple example would be using printf(“\\n”) in C to literally print \n in the screen and not a new line).

Similarly, JavaScript code has to be escaped properly before being displayed or else there is a possibility that the browser will misinterpret the data posted by the user as JavaScript and start executing it which might cause potential damage. If the escaping is not done properly, then the attacker (usually the person who is always one step ahead of the developer) will be clever enough to exploit that display method to inject malicious JavaScript code to cause damage. Such an improper display mechanism is known as a XSS vulnerability and the attacks exploiting XSS vulnerabilities are known as XSS attacks. Twitter faced one such attack two days back.

Now to better understand how XSS attacks are performed, lets call our friends Alice, Bob and Oscar for help. So the following sequence of steps explain how an XSS attack is performed:

  • Bob hosts a website (in this case www.twitter.com) where users are allowed to make posts

  • Bob's website has an XSS vulnerability (in this case the javascript onMouseOver function vulnerability)

  • Alice and Oscar are users of Bob's website and Alice can view updates posted by Oscar (in twitter lingo, Alice is following Oscar)

  • Oscar spots the XSS vulnerability in Bob's website and decides to exploit it. So he makes a post that exploits the vulnerability (in our case redirect the user to some illegal website when he moves the mouse over the post)

  • Alice eagerly opens Bob's website and is redirected to a totally unexpected website as she accidentally moved the mouse over Oscar's post (to be worse, while her mom is watching from behind ;-))

  • There is also a possibility that Oscar can exploit the vulnerability and steal Alice's session information (cookies) and impersonate Alice

  • Thus, Alice is screwed (as always) !!



It is really bad that a website in the scale of twitter had such a vulnerability. But after all, no product is perfect. An official blog post from twitter said that this bug was created as a result of fixing some other issue. I personally feel that a company like twitter cannot afford to give such a lame excuse for it could have caused many celebrities profiles to have posted spam tweets and much more damage. Nevertheless, sites like twitter, facebook, etc. are the primary target for attackers these days and hence security precautions always has to be the number one priority.

Read more about this on twitter's official blog here.

-Vignesh