Twitter on Alert

Wednesday, September 22, 2010 @ 09:09 PM gHale


Automation security experts fear what social media could do to their systems. They had one big scare this week as Twitter was overrun with posts Tuesday that used a programming flaw to play pranks, distribute porn and spread worms to unsuspecting users.
While it was short-lived and confined to Twitter’s old Web interface, the problem did not affect the new interface that Twitter is gradually rolling out or the company’s mobile applications.
Security experts said a JavaScript command in the offending posts included a command, “onmouseover,” that caused messages to pop up and Web sites to open automatically when a mouse hovered over it. The script in some cases also caused a user to forward the offending link, spreading it virally to their followers and the rest of Twitter.
Twitter posted a message on its status page saying: “We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.” At 9:50 a.m. eastern time Twitter said it had fixed the flaw. (XSS is short for “cross site scripting” and refers to Web-application flaws that enable hackers to inject scripts into Web sites.)
Later Tuesday, Twitter Security Chief Bob Lord said the site patched the flaw used in the attack a month ago, but that a recent update “unknowingly resurfaced it.” At 5:54 a.m. eastern time, a user notified Twitter of the security hole, and Twitter fixed it by 10 a.m.
“Users may still see strange retweets in their timelines caused by the exploit,” Lord said. “However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.”
Among the pranks was one that apparently ensnared Sarah Brown, wife of the previous British prime minister, Gordon Brown. A link on her Twitter page redirected visitors to a hard-core Japanese porn site, according to a blog by Graham Cluley, an expert at the security software maker Sophos.



Leave a Reply

You must be logged in to post a comment.