Twitter worm copycats
Last Updated: 2009-04-13 18:07:20 UTC
by Bojan Zdrnja (Version: 1)
Yesterday Patrick wrote about a Twitter worm exploiting an XSS vulnerability in Twitter's profile page. Besides the "original" worm that was supposedly written by a teenager Mike Mooney there are some copycats out.
The copycat Twitter XSS worms exploit the same vulnerability – actually most of the code remains the same but they obfuscated it to make analysis a bit harder. They also added couple of updates so it looks like they are exploiting other profile setting fields which the original worm didn't exploit, such as the profile link color.
You can see an excerpt of the worm code below:
authreg= new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
_0x67cc is just an array the attackers define at the beginning, which contains all key words. The array's contents are hex encoded so they can't be read directly (but can be easily translated into ASCII, of course). The element _0x67cc[0x24] above is "documentElement", while _0x67cc[0x23] is "innerHTML" so they simply end up calling document.documentElement.innerHTML.
It looks like the folks from Twitter are still fixing all the vulnerabilities (I wonder how they missed this in the first place), so be careful as we can expect even more copycat worms trying to capitalize on this. Use addons such as Noscript for Mozilla and, if you are a web developer, be sure to follow good recommendations from OWASP.