Sep 22, 2010 07:25 GMT  ·  By

The extremely viral cross-site scripting (XSS) worm, that hit Twitter yesterday did not have a malicious component, but the attack itself was monetized by directing affected users to surveys.

As most people are aware by now, Twitter was the subject of several XSS-based attacks yesterday. Some of them consisted of simple JavaScript pop-ups being displayed when users moused over a specially crafted tweet.

However, more serious variations involved self-replication and forced logged in users to re-post the malformed tweets on their own feeds.

The most severe used a class="modal-overlay" attribute, which made it a lot more difficult for affected account owners to remove it.

This modal-overlay attack appears to have been started by a Twitter user called @Matsta, which has since been suspended.

A snapshot of the page still available in Google's cache, lists the account owner's name as Matt Gascoigne and his location as Auckland, New Zealand.

We're not certain this information is real, but what's clear is that after launching the attack, Matsta tweeted this: "Follow this guide to unhack your Twitter account! http://bit.ly/[censored] #unhack"

BitDefender reports that the bit.ly link included in the message, which was re-tweeted by many users, directed people to a page asked them to complete a survey.

Similar to most survey scams, that have plagued Facebook users in recent months, the landing page is location-aware and only targets users in certain countries, usually US and UK.

When we accessed it, we got this message: "Sorry, There are no surveys available to your country at this time. Please try back later."

We managed to get past the survey dialog box and click on the "See more" link. This took us to a publicly accessible guide on a different domain, which explains how to block someone on Twitter, but gives no information about the XSS attack.

According to a more detailed report from Twitter, the cross-site scripting vulnerability, which made the attacks possible, was accidentally re-introduced recently during an update.

"We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it," Bob Lord, a member of Twitter's security team, explained on the official blog.

Photo Gallery (2 Images)

Twitter XSS worm leveraged to direct users to surveys
Twitter hack survey landing page
Open gallery