Twitter XSS Worm 2009

#web #security

The Twitter Worm (2009) – "OnMouseOver" XSS Attack

This 2009 Twitter Worm was a self-replicating cross-site scripting (XSS) attack that exploited the onmouseover event in tweets. When users hovered over an infected tweet, the worm retweeted itself, spreading rapidly across Twitter.

How Did the Worm Work?

  1. Exploited a Stored XSS Vulnerability

    • Twitter failed to sanitize user-generated content, allowing attackers to inject JavaScript into tweets.
    • Attackers inserted malicious JavaScript using the onmouseover event.

  2. Auto-Execution When Users Hovered Over Links

    • The malicious JavaScript executed automatically when a user hovered over an infected tweet.
    • The script retweeted or posted itself from the victim’s account, continuing the spread.

  3. Self-Replication (Worm Behavior)

    • Each infected user unknowingly spread the worm when others hovered over their tweets.

Example of the Exploit

The attacker injected the following JavaScript into a tweet:

<a href="#" onmouseover="document.getElementById('tweetbox').value='Worm Attack!'; document.forms[0].submit();">Hover Me</a>

Impact of the Twitter Worm

πŸ”΄ Thousands of users were affected within minutes
πŸ”΄ Users unknowingly spread malicious tweets
πŸ”΄ Twitter had to quickly patch the XSS vulnerability
πŸ”΄ Highlighted the dangers of unfiltered user input in social media

How Twitter Fixed It

βœ” Sanitized User Input

βœ” Implemented Content Security Policy (CSP)

βœ” Added Filtering for Event Handlers (onmouseover, onclick, etc.)

βœ” Security Audits & XSS Prevention

Lessons from the Twitter Worm

πŸ”Ή XSS vulnerabilities can be wormable, causing mass infections.
πŸ”Ή Sanitize all user-generated content before rendering.
πŸ”Ή Never allow JavaScript event handlers (onmouseover, onclick) in user inputs.
πŸ”Ή Use CSP headers to prevent inline script execution.

The 2009 Twitter Worm was a powerful reminder that even simple XSS flaws can have massive security implications. πŸš€