Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Twitter ReTweet Spam (XSS)

September 21, 2010 - 2 min read

This morning before I even logged into my system, I was receiving inquiries about the Twitter Spam going around. The source looks like:

And appears in Twitter as:
For those unfamiliar with t.co, it is Twitter's link service, which provides URL shortening as well as checks to ensure that the link doesn't go to a known malicious site (see About Twitter's Link Service for more info). You can see from the source of the tweet, that it is leveraging a cross-site scripting (XSS) vulnerability so that the scripting code following the "@" character is executed within the victim's browser, and just by mousing over the tweet you are retweeting it. The tweet name / retweet value varies. (a.no has been seen in addition to the t.co domain).

Doing a Twitter search for "Onmouseover" provides a laundry list of URLs and "victims" of this spam. The results of the spam campaign are tweet spam (annoyance) and a likely strain on Twitter services from the increase in retweets. After doing a Twitter search, after a few minutes, the search results showed over 30K more tweets since my initial search - this illustrates how rapidly spreading the XSS retweet spam is being spread.

ImageDigging a bit deeper into this reveals that it was an Australian teenager going by the handle zzap that discovered the XSS vulnerability whereby arbitrary script following the "@" character is executed (ref. NetCraft). Cross-site request forgery and cookie stealing attacks have been demonstrated leveraging the XSS vulnerability as well. Currently there are a number of Twitter worms leveraging this vulnerability (ref. F-Secure).

Some security precautions for users to consider:

  • Avoid accessing your Twitter account from a browser, consider using a Twitter client
  • If accessing your account via browser turn off JavaScript or use NoScript

Update from Twitter:

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.