Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Hit With Second Worm In a Week

Posted by CmdrTaco on from the security-is-hard dept.

adeelarshad82 writes "Days after a site update unleashed a Twitter cross-site scripting attack, the micro-blogging site was again hit with a bug that spread via questionable links. The offending messages appeared on a user's Twitter feed with 'WTF:' followed by a link. If you clicked on that link, you were taken to a blank page, but behind the scenes, the worm would post vulgar messages on your account that discussed, well, sex involving goats."

24 of 97 comments (clear)

  1. Goatse Worm? by WrongSizeGlass · · Score: 3, Insightful

    It's no surprise that you could get worms from having sex, well, with goats.

  2. This is why... by thescreg · · Score: 5, Funny

    It took me awhile to realize what was going on. This is pretty much what I post about on Twitter anyway.

  3. Sex with goats? by The+Good+Reverend · · Score: 4, Funny

    Um, no, actually. That really was me.

  4. Re:where is that goatsex link when you need it? by ShaunC · · Score: 5, Informative

    WTF: Goatse

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  5. Re:I guess this script is baaaad for you. by Bill,+Shooter+of+Bul · · Score: 4, Informative

    No. This is a Cross site Request Forgery attack. The Script in this case, was on the linked site, not in the tweet.

    For those not in the know:

    OWASP Cross Site Request Forgery Prevention sheet Sheet

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
  6. Re:Great - more 4Chan? by Dancindan84 · · Score: 2, Insightful

    You have to use twitter and be the type of person who clicks on questionable links without regard. This worm sounds like watching Darwinism in action in the digital age.

    --
    "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
  7. Re:where is that goatsex link when you need it? by Anonymous Coward · · Score: 5, Funny

    Now I've seen everything!

    A link to goatse is at "+2 Insightful" as I type this.

    A historical day at slashdot to be sure

  8. Yeah, yeah, yeah by microbee · · Score: 3, Funny

    blame the virus, you perverts!

  9. Re:where is that goatsex link when you need it? by AnonymousClown · · Score: 2, Funny
    That's because goatse is on topic and appropriate in this case. It's also on topic whenever anything to do with Congress comes up.

    Geeze!

    --
    RIP America

    July 4, 1776 - September 11, 2001

  10. The early bird... by Anne_Nonymous · · Score: 4, Funny

    ...gets the worm.

  11. OH by mattwrock · · Score: 2, Funny

    I thought it was posting goatse http://en.wikipedia.org/wiki/Goatse

    --
    "Ones and zeros were everywhere. I even think I saw a two!" - Bender
  12. Finally by rudy_wayne · · Score: 4, Funny

    the worm would post vulgar messages on your account that discussed, well, sex involving goats

    Finally!! Something worthwhile on Twitter.

  13. Re:I guess this script is baaaad for you. by nacturation · · Score: 4, Informative

    This post explains it quite well: http://www.andrewnacin.com/2010/09/26/csrf-twitter/

    Essentially, just create one or more iframes, with the iframe source set to http://twitter.com/share/update?status=WTF+PAYLOAD

    As long as you're logged into Twitter via the web, it will auto-post that update without any request for permission from you.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  14. Re:Call me hysterical if you will... by neumayr · · Score: 2, Insightful

    Hehe, good choice. But please be aware that you have no idea of knowing how much of my code you're already running ;P

    --
    Truth arises more readily from error than from confusion. -Francis Bacon
  15. Re:Great - more 4Chan? by amicusNYCL · · Score: 4, Insightful

    You have to use twitter and be the type of person who clicks on questionable links without regard.

    Which of these links is "questionable":

    http://tinyurl.com/2tx
    http://bit.ly/heezy
    http://xrl.us/bh2p3m

    That's what all of the links on Twitter look like, which are OK and which are questionable? How does one distinguish?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  16. Re:Great - more 4Chan? by Dancindan84 · · Score: 5, Insightful

    All of them. I don't click on shortened URLs. Nor should anyone who isn't a Rick Astley or Goatse fan.

    --
    "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
  17. Re:Great - more 4Chan? by icebraining · · Score: 4, Informative

    Or you could install this GM script which expands them to the real URL without actually loading it.

    --
    Dilbert RSS feed
  18. Re:I guess this script is baaaad for you. by miffo.swe · · Score: 3, Insightful

    The fucking point of the internet is klicking on links. Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken. If you have to verify every damn link you could as well just go for chess by physical mail and penpals instead of the internet.

    The user uses the internet as intended, the developers, not so much.

    --
    HTTP/1.1 400
  19. Re:I guess this script is baaaad for you. by Anonymous Coward · · Score: 3, Insightful

    So you're saying that every single time a friend posts a link, you phone or email them and ask if you actually posted a link, and want a description of the page linked to?

    Wow... you're a douche. If you were my friend, I'd have long since put you into a group that can't see my updates, or just de-friended you altogether.

  20. Re:I guess this script is baaaad for you. by Yvan256 · · Score: 2, Interesting

    What about stopping that stupid cross-domain mess and only allow subdomains to be used? Sure it's going to break a lot of things (including banners...), but it would solve a lot of problems.

  21. Re:where is that goatsex link when you need it? by Jedi+Alec · · Score: 3, Informative

    Next up: Twitter worms that discuss Natalie Portman naked and petrified, GNAA trolls and of course the classic penis bird.

    --

    People replying to my sig annoy me. That's why I change it all the time.
  22. Re:Great - more 4Chan? by lul_wat · · Score: 2

    http://unshorten.com/

    That said, I don't even bother clicking shortened links or unshortening them.

    --
    Divide a cake by zero. Is it still a cake?
  23. Re:Great - more 4Chan? by Dancindan84 · · Score: 2, Insightful

    So people send a URL to a shortening service and receive a shortened URL they can post/send to me, and I can use a GreaseMonkey script that contacts the service and caches results to decode that shortened URL into the original URL they shortened... I understand we're not in the days of memory being measured in KB or 9600 baud modems, but this is retarded. Most phones aren't even bound by a character limit in SMS anymore. If a URL is stupidly long due to variables being sent, it's not hard to shorten a link without a stupid 3rd party service. Is it?

    --
    "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
  24. Re:I guess this script is baaaad for you. by thePowerOfGrayskull · · Score: 2, Interesting
    And as I said above... if I see a link that's immediately followed by some spam about leisure activities with barnyard animals, I'm gonna question that link.

    Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken

    I agree that all of the above are a waste of time - you can't keep up. But you also can't blame the OS because it's no more capable of keeping up (unless it's a true walled garden - which works well for some people.) than OS vendors are. My point - and I don't see how it was missed - was that "security" vendors will jump on this bandwagon claiming that they can "fix" this problem when it's a problem that can only be solved via user education.

    (What I didn't say is that's also no solution at all. Users - rightfully I feel - don't want to be educated extensively in security practices when to their perspective they're using a simple tool. )

    The user uses the internet as intended, the developers, not so much.

    I agree. This exploit could just as easily be done without XSS. Someone clicks a link that says "check this out"; which in turn does an HTTP redirect to a GET URL that does the exact same thing. No script required.

    But there's also no OS currently in existence that can prevent this. Users click links, often blindly. Just because it's not fair that they need to do so intelligently doesn't change the fact that they must be responsible for what they click on.