A dangerous XSS bug surfaced on Twitter on Monday, and researchers have seen active exploits for the bug, which allows an attacker to steal the session cookie of a Twitter user with a simple click-and-you're-owned technique.
Experts say that the attacks seem to be emanating from domains in Brazil, and that more than 100,000 users had already clicked on one malicious shortened URL related to the attack.And that's just one link. It's unclear how many other malicious links have been created to exploit this flaw.
"The malicious JavaScript payload that's being distributed is rather simple. It uses an XSS (Cross-Site Scripting) vulnerability to steal the cookie of the Twitter user, which is transferred to two specific servers. Essentially, any account which clicked on the malicious links is compromised," Stefan Tanase, an anti-malware researcher who specializes in social networking threats at Kaspersky Lab, said in an analysis of the Twitter exploit.
"All clues point to Brazil as the originating country for this attack. First, the 2 domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil."
One of the tweets used to direct users to the malicious site exploiting the XSS bug is written in Brazilian Portuguese and references a Brazilian band.
Twitter officials said on Tuesday morning that the vulnerability has been fixed. However, the XSS flaw, which was on one of the many sub-domains that Twitter maintains, may just be the tip of the iceberg for the massively popular social networking platform. The shortened URLs that are essentially mandatory on Twitter, thanks to the platform's 140-character limit on messages, are a serious weak link in the site's security.
