About the Twitter 'URL Injection' Attack

Yesterday Twitter was subject to being ‘hacked’ for a number of hours – see Twitter Mouseover Hack.

I don’t follow very many people on Twitter and didn’t directly experience this hack myself, but the way it worked was very interesting and so simple that anyone with a little experience of coding html would understand how it works – it’s difficult to believe that such a large site could make such a fundamental mistake.

All the hacked tweets contained a double quote mark ” near the start of the Tweet. Double quote marks should not be able to be a part of URL inputs in any CMS or back end system – because a double quote terminates the href attribute. The attack has a lot in common with an SQL injection attack.

If you imagine how tweeted links are output to the page by Twitter’s back end, it would be like this:

<a href=”http://url”> Link text </a>

The tweets start with a very short URL, such as t.co (to allow room for more following characters of code), then a quote mark. This quote mark closes the href attribute shown above. After this, anything else written is handled as a html attribute of the anchor element, rather than part of the link destination.

This allowed the inclusion of css style and JavaScript (far more can be done than just mouseover and the hack was discovered at first using CSS)

(slightly simplified) hacked tweet example:


Combining this with the previous piece of code, Twitter’s back end outputs a link like this:

<a href=“http://t.co” style=“font-size:4em;color:red”> Link Text </a>

Which would be rendered as big, red text:

Link Text

There’s far more that could be done with the hack using JavaScript, including shorthand code to redirect the user to an external site or for the tweet to be manually retweeted when it is moused over – combined with 500pt text this is hard to avoid doing, causing a viral spreading of the affected tweets. It could have been possible to allow remote execution of much bigger scripts with a jquery function.

In some cases of exploits and hacks, it’s easy to blame the hackers – but in this case it’s such a schoolboy error that Twitter can’t really be excused for it. Things could have been much, much worse if an organised group of real hackers had discovered this vulnerability and spent some time planning a co-ordinated attack to steal twitterer’s personal information (eg usernames and passwords).

This sort of exploit is something that can occur on any site that allows UGC (user generated content), if the back-end developers haven’t done their testing and is something that anyone responsible for a commercial website should be aware of – as with SQL injection.

Share this Post: Facebook Twitter LinkedIn Google Plus StumbleUpon Reddit RSSEmail

Leave a Comment

three + four =