14 DAY TRIAL // A cross-site request forgery weakness in the Twitter API and the abuse of an external service led to another rapidly propagating worm on Twitter over the weekend.
Overly curious Twitter users found themselves re-posting an embarrassing message about goats after clicking the included t.co shortened link.
Unlike the cross-site scripting worm that caused mayhem on Twitter last week, this one did not exploit any particular vulnerability in the site's pages.
The exploit itself was actually hosted on a remote website called PasteHTML.com, which provides an HTML code preview service.
"Use PasteHTML.com to put a HTML file online, quickly and with no registration. Use it as a sandbox for playing with CSS and Javascript," the site reads.
Someone realized that this service can be abused to create a HTML page with two hidden IFrames that push a status update through the Twitter API.
They then let Twitter hide the URL with its new t.co URL shortening service, causing people who clicked on it to load the IFrames and transparently post the goat message.
This type of attack is called a cross-site request forgery (CSRF) and involves attackers abusing a user's authenticated session to perform unauthorized actions.
The standard method of protection against CSRF is to use unique tokens for each session that must accompany every request.
This prevents compromise, because the attackers don't known the nonces required to successfully push actions through successfully.
Unfortunately, implementing tokens would limit single-click features such as updating the Twitter status or using Facebook's Like button from an external page.
"We’ve fixed the #WTF exploit and are in the process of removing the offending Tweets," the Twitter developers announced.
However, according to security experts, Twitter only blocked this particular exploit, not the underlining issue, so it's only a matter of time until someone finds a way to bypass the fix.
Some people have already pointed out that other services, like JSBin.com, can be abused in a similar manner to instrument CSRF attacks.