Twitter fixes cross-site scripting vulnerability

By on

Exploit stole a user's cookie to distribute compromised links.

Twitter has fixed a cross-site scripting (XSS) vulnerability that stole a user's cookie to distribute compromised links.

It was detected by Stefan Tanase, senior security researcher at Kaspersky Lab. He said that the exploit steals the cookie of the Twitter user, which is transferred to two specific servers, and essentially any account that clicked on the malicious links is compromised.

He said that the bit.ly statistics for one of the malicious links show that more than 100,000 users clicked on the link.

“All clues point to Brazil as the originating country for this attack. First, the two domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil,” he said.

One of the links was a short tweet in Portuguese about the Brazilian pop band Restart, reportedly suffering a 'tragic accident'. Tanase said there is not much doubt about the origins of this attack.

The malicious scripts were detected by Kaspersky Lab as Exploit.JS.Twetti.a, and it has blacklisted the URLs used in this attack.

Tanase said: “We are currently working on taking down the malicious URLs and minimising the damage as much as possible. Twitter along with other significant industry peers has of course been notified.”

Twitter commented that the vulnerability is now fixed.

See original article on scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
compromisedcrosssitedistributefixeslinksscriptingsecuritythattotwitterusedvulnerabilitywas

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

Most Read Articles

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear
NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless
NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification
Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

Digital Nation

COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan

Log In

  |  Forgot your password?