Twitter XSS Strikes Again

It seems to be a bad week for Twitter as once again they have been targeted by an XSS attack which is spreading quickly across Twitter. It’s still not certain as to who wrote it, though “Mikeyy” is being referenced in a number of the messages that are popping up across users pages. Earlier in the week it was determined that a 17-year old named Mikeyy Mooney was responsible for the original XSS attack, and one reason he wrote the exploit was a means to advertise his website. The new attack chooses from one of the following messages and posts it to an infected users page.

Twitter, this sucks! Fix your coding.
Twitter Security Team Really? You need to be fired.
Horrible Coding!
@oprah - sup? welcome to twitter. - mikeyy
@aplusk - hey, homo. - mikeyy
@souljaboytellem - your music sucks dude. - mikeyy
@TheEllenShow - hey baby, love me long time? - mikeyy
@StephenColbert - you funny. - mikeyy
@cnnbrk - he's back. ;) - mikeyy
@nytimes - yep, it's true. - mikeyy
Twitter, do you know about the before_save model callback? - mikeyy
This exploit only affects Internet Explorer users. Thanks. - mikeyy
Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlChars!!! - mikeyy
Get Firefox, thanks.
Twitter, you should be paying me now. - mikeyy

The code itself is stored in a file called xss.js on the same server as the previous attacks, not exactly trying to be very subtle. It’s slightly obfuscated though simple enough for us in the Labs to reverse.

At first glance the deobfuscated code appears as though it’s trying to create some ActiveXObjects which tells us Internet Explorer users will be affected, as one of the random comments seems to suggest. Any vulnerable users who view an infected user profile will also become infected themselves as the script is injected through the CSS, which is how it has managed to spread itself so quickly.

Sophos users will be happy to know that we currently detect the script as JS/Twitter-C. We will be keeping an eye on Twitter and reporting anything new we may find here on our blog. It is still a good idea to run Firefox and NoScript to help protect yourself from all kinds of Javascript attacks.