When a bug goes viral.

It was 3pm GMT when a 19-year-old Austrian nicknamed Firo was sending a tweet. There were millions of us tweeting too and his actions were not unusual. As he typed his tweet, he inserted a heart character and noticed that two appeared. Curiosity got the better of him and he started playing with his tweet. His discovery was that he could insert code into his tweet and yet it was only showing his love heart.

 

The thing about Twitter is that it attracts like-minded individuals together. When Firo’s followers received his tweet in Tweetdeck, they got a pop-up box with some text in it. When they re-tweeted it, so did their followers and so we see an initial growth. Firo knows computing, his friends know computing too and their circles are all in the same areas. After 30 minutes, the UK was receiving these curious messages and word was out…

 

XSS in Tweetdeck

 

When the tinkerers saw what they could do with simple script, they had a field day sending funny messages over Twitter. As the Tweets grew, so did the curiosity, Firo was past playing with the bug and the message was spreading. Within 2 hours, Tweetdeck was almost becoming a ghost town as the message sank in…

 

There is an XSS in Tweetdeck

– this is serious.

 

We shut it down, un-linked our Twitter accounts. Two hours after the initial finding of the bug, the users were savvy enough to understand its severity and was protecting itself.

 

Shortly after this was where we saw the self a propagating tweet. Using the same framework, it gave you the pop-up message but you automatically re-tweeted it. When this variant hit the BBC breaking site, 10.1 million followers received that tweet. Any using Tweetdeck automatically re-tweeted it. This was now a dangerous game and Tweetdeck pulled the plug.

A wise move by all accounts, had it been allowed to proliferate, Twitter could have fast become overrun and more harmful code code have been injected into a Tweet. Fingers were pointed to bad programming, the Twitter takeover and yes, I dare say the Governments probably got a finger pointed or two.

Bugs exist in code because we write code. Humans write code. We are not perfect. Bugs are found every day, some are low impact and some critical. A bug is simple to introduce by accident and can lay in some cases for over a decade (OpenSSL).

 

Firo did no wrong, he is a good definition of a hacker, he got curious and worked out what it could do. The media should not demonify him for his actions, in the same way Codenomicon should not be demonified for finding HeartBleed. Firo is a hacker. The media should learn that this is a good thing. He is not a criminal. Someone who finds bugs and has the intent to cause harm is a criminal. We need to separate these terms and this is a perfect opportunity.

 

Well done to the hacker Firo for finding this bug even if it was by accident (as most great discoveries are!).

We must also applaud Tweetdeck for such a fantastic and speedy resolution to the bug fix. I have no idea how many thousand lines of code they had to go through, but they did and they fix it.

I wonder what the next bug will be that is found today ?

I wonder if it will be in an 90s game that if you press IDDQD, IDKFA, IDCLIP ……..

 

Associated articles :
Original article identifying Firo
Doom

Advertisements

XSS and Tweetdeck and the person behind the discovery

So XSS appears to be back in Tweetdeck.

 

I was first alerted when I got this pop-up :

Capture22

My initial reaction was to ask out on Twitter – then I noticed it … every time there was a love heart in someone’s tweet I got a pop-up telling me there was an XSS in Tweetdeck.

 

I did a quick search to try and find the first reference of XSS and Tweetdeck and found https://twitter.com/pixeldesu/status/476744509783822337

After a quick dialogue and a few names .. there it was :

Capture 33

I had a brief chat with @firoxl and it appears that the bug was discovered by accident.

It actually was some sort of accident. ^^

https://twitter.com/firoxl/status/476738843841159168

Capture 44

I was using TweetDeck, suddenly there were 2 hearts.

I made some experiments and discovered that TweetDeck doesn’t escape HTML-chars if there is that Heart in the tweet.

As with all great discoveries – they were done by accident.

At the time of writing, Tweetdeck has now fixed the issue :

https://twitter.com/TweetDeck/status/476763638695743489

Capture55

Where could it have gone to ?

Well – Firo speculates “someone could load some external js-code and build a computer-worm which takes over the accounts of many people… there are many ways this issue can be used to harm someone…”

And there you have it 3:52pm to 5:31pm – bug identified, replicated, proven, fixed and rolled out – not a bad issue fix in the grand scheme of things !

 

Many thanks to everyone who was involved in the making of this blog – especially Firo XI, kudos for helping out.

 

 The FIX :

Log out of Tweetdeck – log back in again !

 

 

 

Something bugging me about the Twitter hack

There’s something strange,

in the media world.

Who you gonna call ?

Well no-one actually !

Twitter announced on Friday 1st Feb on its blog that it has been compromised and various details have been lifted from their servers.

OK – rewind – last time they were compromised (November 2012) we had full disclosure of the incident and yet with this recent blog we have nothing. Odd? I thought so too.

So, speculation time …

1. The Java Cover-up

With the Java 0-day mess at the moment, is this just some front for Twitter to get developers to stop using Java to connect to them… BEFORE… the actual incident happens ? It would make sense in some ways. Twitter cannot afford for the damage to brand and reputation if they were completely left open so if they were to post out a faked article with wishy-washy details about the incident in there, then it would not come to any shock to the industry when they announce in 3 weeks that they no longer support Java apps to connect to them.

Tie this in to the hacks against US Media at the same time and we find even less detail and allegedly they are all related… well how ?!

2. The numbers don’t add up

Let’s assume Twitter was hacked. Let’s pretend it was you who has compromised them… 200 million accounts to play with – you could be rich !! Just think of the value in the data. The spammers would rip your arms off for that kind of data. So why only take 250,000 accounts? Even Twitter admitted :

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later.

This week ….

shut it down in process moments later.

Which is it? A week or moments ?

3. Who Dunnit?

We know it’s not Anonymous this time – otherwise every script kiddy in the universe would be all over this. We also know that there is no value to organised crime – no financials can be gained. So who is responsible ? Tenuous claims to China ? why > There’s nothing in this hack to suggest that. If it was someone who’d struck lucky with an exploit, we’d have heard about it by now. This would be great kudos for the person/group involved. And yet … nothing. Twitter states :

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.

So Twitter knows it was not isolated and has hit others similarly (but didn’t link to the US Media as above). Who else has been attacked and who is this mystery shadowy non-amateur person/group that takes data and not for the kudos or lulz…

I know I just could be sceptical, but after just writing the corporate blog for Secarma on this, I just got a funny feeling that I’d somehow missed the point. Where’s the best place to hide something … in plain sight. So why not hide it in the Twitter blog.

I went back and re-read the Twitter blog.

Paragraph 1 – US Media and Java

Paragraph 2 – timeframes and no. of accounts

Paragraph 3 – what they have done

Paragraph 4 – password tips

Paragraph 5 – Java tips

Paragraph 6 – attacker

I just wonder … is this another nail in Java’s coffin or is this a real incident. There is nothing conclusive in this blog, no reveal … just nothing. As someone who reads a lot of this kind of article, it just feels like Twitter are playing a good game of poker here and are holding their face firm.

What do you think ?

Thanks

SPCoulson