May 26th, 2009

Twitter API ripe for abuse by web worms

Posted by Ryan Naraine @ 12:39 pm

Categories: Anti Virus, Browsers, Data theft, Exploit code, Hirings and firings, Malware, Passwords, Pen testing, Phishing, Punditocracy, Responsible disclosure, Social Networking Applications, Spam and Phishing, Viruses and Worms, Vulnerability research, Web 2.0, Web Applications

Tags: Web, API, Worm, Twitter, Twitpic, Cyberthreats, Viruses And Worms, Security, Ryan Naraine

A security researcher is warning that the Twitter API can be trivially abused by hackers to launch worm attacks.

The red-hot social networking/microblogging service has been scrambling to plug cross-site scripting and other Web site vulnerabilities to thwart worm attacks but, as researcher Aviv Raff points out, it’s much easier to misuse the Twitter API as a “weak link” to send worms squirming through Twitter.

Raff, well-known for his research work on browser and Web application vulnerabilities, points out that a single vulnerability on any of the third-party services (Twitpic, etc.) that use the API can trigger the next Twitter worm.

[ SEE: Twitter hit by multiple variants of XSS worm ]

Raff writes:

An example for this threat is a vulnerability I found a few weeks ago in Twitpic.com website. Twitpic imports the profile information from Twitter, and displays it on the Twitpic.com profile page. While twitter.com (finally) sanitizes and encodes HTML tags in the Twitter profile information (name, URL, bio, etc.), Twitpic.com failed to do so and by that allowed injecting scripts to the twitpic user profile page. This is a very simple persistent XSS, which can be easily abused to hijack twitpic.com user accounts. However, because twitpic.com also uses the Twitter API to automatically send twits on behalf of the user, whenever the user uploads a picture or comments on another user’s picture, it can also be easily used to create a Twitter worm.

[ SEE: Twitter being used to distribute malware ]

Raff created a demo attack that automatically comments on a random picture on Twitpic.com, whenever a user visits the twitpic.com profile of the user he created – “twitpicxss.”

Anyone who visted that profile page while logged in to the Twitpic service would automatically send a tweet to Twitter with the content he (Raff) set in the comment.

The content contained a link to the “twitpicxss” profile, which could have made other users, who follow the victim, to click on that link, be exploited, and keep spreading the worm.

Raff also showed me additional examples of cross-site request forgery (CSRF) problems in third-party Twitter services that could lead to worms.

Twitter’s ongoing search for software engineers to focus specifically on application and infrastructure security is a great first step but unless security gets baked into the way the API is used, the service will continue to be plagued by worms.