About the Twitter 'URL Injection' Attack
Yesterday Twitter was subject to being ‘hacked’ for a number of hours – see Twitter Mouseover Hack.
I don’t follow very many people on Twitter and didn’t directly experience this hack myself, but the way it worked was very interesting and so simple that anyone with a little experience of coding html would understand how it works – it’s difficult to believe that such a large site could make such a fundamental mistake.
All the hacked tweets contained a double quote mark ” near the start of the Tweet. Double quote marks should not be able to be a part of URL inputs in any CMS or back end system – because a double quote terminates the href attribute. The attack has a lot in common with an SQL injection attack.
If you imagine how tweeted links are output to the page by Twitter’s back end, it would be like this:
<a href=”http://url”> Link text </a>
The tweets start with a very short URL, such as t.co (to allow room for more following characters of code), then a quote mark. This quote mark closes the href attribute shown above. After this, anything else written is handled as a html attribute of the anchor element, rather than part of the link destination.
(slightly simplified) hacked tweet example:
Combining this with the previous piece of code, Twitter’s back end outputs a link like this:
<a href=“http://t.co” style=“font-size:4em;color:red”> Link Text </a>
Which would be rendered as big, red text:
In some cases of exploits and hacks, it’s easy to blame the hackers – but in this case it’s such a schoolboy error that Twitter can’t really be excused for it. Things could have been much, much worse if an organised group of real hackers had discovered this vulnerability and spent some time planning a co-ordinated attack to steal twitterer’s personal information (eg usernames and passwords).
This sort of exploit is something that can occur on any site that allows UGC (user generated content), if the back-end developers haven’t done their testing and is something that anyone responsible for a commercial website should be aware of – as with SQL injection.