A new Twitter XSS exploit was identified in the wild as it started to be used by cybercriminals overnight.
But how many people clicked the link? The bit.ly statistics for one of the malicious links are more than worrying, showing an alarming number: more than 100.000.
All clues point to Brazil as the originating country for this attack. First, the 2 domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil. Last, but not least, just take a look at the tweet used in distributing this malicious payload:
Pe Lanza da banda Restart sofre acidente tragico - it's a short tweet in Portugese about the Brazilian pop band Restart suffering a "tragic accident". I'd say there's not much doubt about the origins of this attack.
We've added detection for the malicious scripts as Exploit.JS.Twetti.a and also made sure the URLs used in this attack are blacklisted. We are currently working on taking down the malicious URLs and minimizing the damage as much as possible. Twitter along with other significant industry peers have of course been notified.
UPDATE: Twitter has confirmed the vulnerability is fixed now.
2010 Sep 07, 21:47
Seems like it still works under Firefox.
They put dev.twitter.com offline. We've some variants on the original attack, all exploiting some flaw within the validation of "query" parameter on the page...