Beware The Twitter Black Text

As a web developer, one thing you learn early on is that you can’t trust the user’s input at all. When you ask for a date of birth in mm/dd/yyyy format, people *will* type in September 17th, 1962. When you ask for a number from 1 to 10, people *will* type in “red.” Don’t ask me why, but people do these things. Sometimes it is out of sheer ignorance of what should be entered (either due to a fault of the webmaster’s for not being clear enough or due to the user not reading directions). Sometimes, though, the user will be malicious in nature and will be trying to find holes in your code to exploit.

A common method of attack is called a SQL Injection attack. In layman’s terms, this is an attack that fools the script into running what the hacker wants instead of what the webmaster intended. For example, if the webmaster asked you for your user ID and used that to form a query like “Select * From users Where ID = USERID” (where USERID is the ID you entered), this could be hacked by someone entering “1; Delete From users;”. The “1” would complete the webmaster’s original query and the semi-colon would indicate to the server that another query was coming. Then the Delete statement would delete all data in the database (well, at least the Users table).

Obviously, webmasters would want to take measures against this. To do this, they would check the user’s input against what they were expecting and act accordingly. Using the example above, I could check to see if the data was a number. If the user entered “5”, they would be ok and the query would be run. If the user entered “1; Delete From users;”, their data would either be cleansed (just use the “1” portion) or rejected outright.

So what does this have to do with Twitter? This:


The black text above hides a Twitter worm working its way through as of this writing. This is similar to the database example above, only in this case it involves Twitter and link formation.

You see, if you’re typing a tweet and say, for example, “I really like“, Twitter will helpfully turn the typed URL into a clickable link for you. It does this by detecting where the link is and sticking it in a <a href=”URL”>URL</a>. (The actual code is slightly more complex, but this simplified version will work for now.) This works fine when the typed URL is, but what if the URL is this:”onmouseover=”;$(‘textarea:first’).val(this.innerHTML);
$(‘.status-update-form’).submit()” style=”color:#000;background:#000;/

Don’t worry. I’ve kept this code from forming a link and split it on two lines for good measure. The first segment (“”) is used to fool Twitter into thinking that the rest of the code is just a hyperlink. Next, a double-quote (“) is used to close out the HTML link section. Now the real “fun” starts. The “onmouseover” tells the browser to run the following code when the user hovers over the link. The code within this section enters the whole fake link into Twitter’s status update box and submits it. This is what makes you tweet that link and thus spread the worm. The remaining section (“style…”) turns the text and background colors to black to hide the text and make it look “censored” (prompting you to hover over it to see what it says). The slash at the end further fools Twitter into thinking that the whole thing is one big URL.

So what should you do if you’ve been hit? Delete the tweet, for one thing. I’d also recommend using a 3rd party application like Seesmic Desktop or TweetDeck until Twitter addresses it. At this writing, the worm is only propogating itself and isn’t otherwise a threat. Still, the code it runs could send you to other websites (which could infect you with malware/viruses/trojans) or do other things to compromise your account/computer. So keep your eyes peeled for suspicious activity.

What can Twitter do? For one, I’d recommend that they escape any double-quote in URLs. If that code was rendered as:;onmouseover=&quot;;$(‘textarea:first’).val(this.innerHTML);
$(‘.status-update-form’).submit()&quot; style=&quot;color:#000;background:#000;/

then the worm wouldn’t be able to run its payload. Hopefully, Twitter will act on the fast and prevent any further spread.

UPDATE: Twitter has fixed the bug that allowed this script to run. You can see my non-malicious test tweet here. Notice how the link cuts off before “onmouseover.” This means that the worm is now stopped in its tracks. While an old infection-tweet might cause you to post the link, the resulting tweet won’t be able to spread the worm. In addition, Twitter seems to be deleting the worm where they can find it. Good job, Team Twitter!