Twitter XSS Vulnerability

So by now a lot of people have realized that the Twitter web interface has succumbed to an XSS vulnerability. The JavaScript contained in one particular tweet that’s part of this causes you to retweet it so that it will spread to others and then establishes a modal overlay on your Twitter home page so that mousing over it forces you to continue retweeting it over and over again.

I had a hunch on how to get around this that turned out to be correct. Go to your Twitter user page (in my case, http://twitter.com/elazar). This JavaScript doesn’t appear to affect that page, allowing you to undo the retweets so you can access your Twitter home page again. Note that this won’t prevent retweets from people you follow from showing up in your feed. The best you can really do about that is help to spread the word about how to fix this situation.

At this point, I would suggest deleting your cookies, logging into Twitter, navigating manually to http://twitter.com/settings/account, changing your password, logging out, and logging in again. It may also be best to use a Twitter client instead of relying on the web interface until it’s fixed. No word from Twitter on this as of yet.

If you have any other comments that may be handy in this situation, please leave them on this blog post.

2 Comments

  1. It is recommended that you use FireFox and install the following addons:

    No Script: https://addons.mozilla.org/en-US/firefox/addon/722/ <- Used to block unwanted scripts from unauthorized domains (e.g. http://t.co/)

    Request Policy: https://addons.mozilla.org/en-US/firefox/addon/9727/ <- Blocks remote requests to unauthorized domains.

    Remove it Permanently (RIP): https://addons.mozilla.org/en-US/firefox/addon/521/ <- can be used to remove the black stuff covering your profile when the page loads.

    Using NoScript and RequestPolicy, I first denied all remote requests for any resources that weren't absolutely necessary to get the web interface to operate sufficiently. Next, I used RIP to remove the black stuff hovering over the content in my pages and the unwanted tweets. Finally, I un-did my RT's of the malicious bug that's going around and spreading this problem.
    That should alleviate the problem for your account for the time being and keep the exploit at bay. However, if future RT's come in from people you follow, be forewarned: They can cause the exploit to start all over again. So after you've removed your RT's it's best to avoid the web interface all-together until #Twitter can address the issue. Use a desktop client such as Spaz, or TweetDeck.

    -Kizano

  2. The sporadic XSS attacks of the last few years are an argument for not using the twitter web interface at all. It’s been a while since I used a desktop twitter client but it may be worth investigating where they stand currently.