Twitter has been hit by two worms in the span of a week. The worm last week, called the OnMouseOver worm, took advantage of a mouse rollover vulnerability.
It affected Twitter users in a number of ways. Some users were redirected to a Japanese hardcore porn site; followers of the White House Press Secretary received gibberish Tweets. In a September 21 blog, Twitter said it had fixed the problem that led to the OnMouseOver worm in August but a site update had re-opened the vulnerability.
The worm this week was much less extensive. It redirected users who clicked on a link to a URL involving questionable activities with goats and resulted in a retweet indicating the user enjoyed those activities.
This has many security people saying there must be something a huge social networking site like Twitter can do to stop these worm attacks, some technical fix that can make the site secure.
Well, there is a fix, but it’s not technical, it’s personal. Self-reporting by users is the best way for social networking sites like Twitter to keep their systems secure, said Sean Sullivan of F-Secure in an interview with Infosecurity. “The social aspect of the network is a built-in defense,” he said.
For example, during the OnMouseOver worm last week, “there were a lot of Tweets saying to log off of the Web interface; that it was vulnerable. Use your third-party applications, such as mobile sites, they are not vulnerable because they don’t have Java script [which was responsible for the worm]. And people logged out of Twitter…It’s not a technological solution but inherent to the social aspect of its networks.”
Sullivan also suggested setting up a bounty program for users who find vulnerabilities in the system. He noted that Google paid out several thousand dollars for vulnerabilities that were discovered recently.
The Twitter worm last week was launched by two 17-year-olds who found out about the vulnerability from other users who exploited it for benign purposes.
“The young people have this mentality that this is fun and games…Cash is king for kids that age. If they report a vulnerability to Twitter, get paid for it, and get notoriety that way, it’s probably the only way to get to a 17-year-old interested in reporting…Kids don’t think poking around with these sites and finding vulnerabilities is doing damage…Offering a bounty program and incentives for being more cooperative is probably the best way for the organization to bite the bullet and get the people who will be poking around anyway on their side,” he said.
Sullivan said that Twitter is very responsive to vulnerability reports. “Being the biggest at what they do, they work to make sure security is there to protect them.”
Web 2.0 makes the security issues very complex. “It is demanding to get every linkage part secure. One linkage part might be secure, and another part might be secure, but they way they interact might be insecure. It takes a lot of hard work,” Sullivan said.
Another solution Sullivan offered was to hire “the right guys to the do auditing of the site. It’s interesting that Twitter should allow Java script to be injected into a Tweet. There are special characters that are required to do that…They should take steps so that those are not valid characters for Tweets.”