September 21, 2010

Malicious Code Exposes Twitter Flaw

Twitter has fixed a flaw in its microblogging service site that allowed a malicious code to direct users to porn sites just by rolling over the message with their mouse.

Thousands of user accountss were used to exploit the flaw, including Sarah Brown, the wife of the U.K.'s former Prime Minister.

"The exploit is fully patched," Twitter said on its status blog.

People using third-party software were unaffected by the problem.

Initially, users only had to move their mouse over a message containing a link to open the porn sites in the browser.

The code exploited what is known as a cross-site scripting (XSS) vulnerability, a flaw in a website that can be exploited by relatively simple codes.

The code was spread by worms, which are self-replicating, malicious pieces of code.

The command, which was written in Javascript, automatically directed users to another website, some of which contained pornography.

The malicious links looked like a block of color or a random URL that contained the code "onmouseover," which triggered when the cursor hovered over the link.

The code also sent a message from the infected user's account containing more code, which made the command self-replicating.

"There is no legitimate reason to tweet Javascript," Graham Cluley, a researcher at security firm Sophos, told BBC News.

A developer called Magnus Holm seems to have written the code.

"I simply wanted to exploit the hole without doing any 'real' harm," he told BBC News. "It started off as 'ha, no way this is going to work'."

He said that flaw had been identified by others and has already been used for other means.

"There were several other tiny hacks using the exploit - I only created the worm," he told BBC.

Holm said he saw his worm pass around at least 200,000 messages.

He said others soon copied his code using "other nasty or smart tricks," including links to porn sites.

"It was only a matter of time before more serious worms started."

A Twitter user with the name Matsta appears to be one accused of spreading the code maliciously.

Holm told BBC he had no regrets about his actions and was "not sure" whether he would receive a call from Twitter.

This is not the first time the microblogging service has suffered an attack.

Another worm spread links to a rival site in April 2009, which also showed unwanted messages on infected user accounts.

Cluley told BBC that Twitter needs "much tighter control" over what users contain in a tweet to prevent similar problems.

He also said that users should continue to be on guard as hackers look to keep exploiting the site.

"We've seen it in the past," he said. "When Twitter says they have fixed a flaw, we see a new exploit again and again."


On the Net: