Twitter spreads malware just as fast as it spreads news
I was busy yesterday. Good job really – it meant that I didn’t even look at Twitter all day. In fact, the first I even knew of a problem was when Websense told me:
As of 3pm UK time Twitter Safety is reporting that the XSS flaw is no longer exploitable.
This morning we saw Proof Of Concepts of the Twitter command being posted by Twitter users and then began to see end users tweeting the code virally. There is the potential for malware authors to spread malicious tweets using the flaw to direct users to other Web sites.
As of writing, hundreds of new tweets per second are being published on twitter.com using the OnMouseOver flaw. Twitter users whose accounts have been affected by the flaw include journalists and high-profile celebrities.
One of these high-profile celebrities was, according to Graham Cluley, Sarah Brown.
Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister.
It appears that in Sarah Brown’s case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan. That’s obviously bad news for her followers – over one million of them.
Graham Cluley’s blog
It is the speed with which threats can spread through services like Twitter that is worrying.
While most examples of the ‘onmouseover’ security flaw seem to be people playing around with code without specific malicious aim [the early position]… …there’s a possibility that bad actors may use this to direct end-users to malware and phish pages [which of course happened very quickly]. I’d like to think Twitter will have this under control before that happens [not really; but nearly]. However, we are surprised that Twitter has not suspended the main twitter.com web site while it works on a fix.
Christopher Boyd, senior threat researcher at GFI Software
The fact is, Twitter did not immediately suspend the site. And it is this ‘unreliability’ of other people that leads Lumension to say we need a fundamental rethink.
We simply can’t just rely on spotting malicious activity and then reactively try to stop it from affecting us – we need to take proactive steps to ensure that regardless of what is happening on the web, corporate environments are trusted and safe.
To steer clear of infections introduced by these types of unpredictable web events, businesses need to move from a threat-centric model that focuses on trying to prevent the bad; to a trust-centric model that only allows what is known to be good to run on the machine.
Don Leatham, senior director of solutions & strategy, Lumension