XSS: Social Nets' Ticking Time Bomb
It doesn't take much to make an impact, even in the clutter-sphere of Twitter Inc. , where last weekend a 17-year-old introduced a self-replicating worm, redirecting Twitterers via cross-site scripting (XSS). It's a vulnerability that remains unresolved on Twitter -- and other social networking sites, by the way.
For all you non-script kiddies, what exactly is XSS?
Search engines are notoriously prone to XSS issues. If a search string includes some special HTML characters (such as an umlaut [¨], or a "not sign" [¬]), often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. Combinations of these special characters can sometimes be used as specific pointers in malformed and malicious URLs by attackers.
Many top social networks and Websites, such as Facebook , MySpace , Google (Nasdaq: GOOG), and eBay Inc. (Nasdaq: EBAY), simply overlook this issue; it's not considered serious, since users can only inject code into their own pages. According to the definitive security volunteer site for XSS issues, XSSED.com, more than 32,000 XSS vulnerabilities have been submitted, with more than 8,000 still on hold (i.e., unfixed). With a small amount of software engineering, an attacker can convince a user to follow a malicious URL, which injects code into the results page, giving the attacker full access to that page's content.
Luckily, the Twitter worm was not malicious; however, XSS can be used to introduce malware or to install scareware, using an obfuscated (encrypted), malformed URL. Such exploits are extremely effective and difficult, if not impossible, for the average user to detect.
However, there were four strands of the Twitter worm; after the original, the writer created others to prove that Twitter had not corrected the problem, only locked down suspected compromised accounts. This is the equivalent of a biohazard team only quarantining infected people, while leaving the source to carry on infecting others. The problem exploits weaknesses within social networking sites, with examples from FaceBook, eBay, MySpace (with a permanent XSS issue), and Google. I hate to say it, but we can expect future XSS flaws from these sites.
According to Giorgio Maone, the creator of NoScript, the XSS fix is obvious and simple to resolve: "This worm having been active so long is quite a surprise to me, since the exploited vulnerability (missing output encoding on users' profile Web page URLs) requires less than one minute to be fixed, if you know what you're doing."
Maone also confirmed that Twitter has not resolved the actual bug on its site: "The existence of a mildly obfuscated version authorizes a scary suspect: Have Twitter guys just been trying to block the original strain by signature, rather than fixing their Website error?"
Social network users should be extremely grateful that this issue has been highlighted by someone not intent on illicit gains, but purely as a promotional stunt, however irresponsible.
It is important to stress XSS is not simply restricted to social networking or search sites: Just this week an XSS flaw surfaced on Symantec Corp. (Nasdaq: SYMC)'s Website; in December there was an XSS bug on Barack Obama's Website, and an earlier one on Google's.