Everybody heard the tweets: after several other security issues, including “exotic” ones like Clickjacking or JSON hijacking, Twitter is in serious troubles again, this time with an old-school XSS worm which quickly managed to infect many users profiles and is still spreading in multiple variants.
This worm having been active so long is quite a surprise to me, since the exploited vulnerability (missing output encoding on users’ profile web page URL) requires less than one minute to be fixed, if you know what you’re doing. The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error? This is would be ridiculous*, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that). And while the initial code just logs your session cookie on a remote server (which is already bad enough) and replicates itself as spam, nothing restrains a more malicious attacker from taking over your account with all its profile data right away.
The morale of this story? Never tweet without NoScript.
Ridicolous, but apparently true: in Twitter’s first hand account of the countermeasures taken over the weekend, there’s a lot of “cleaning up and locking down profiles”, but nothing about fixing the website’s bugs which allow infections like this to be spread.