Hackers Infect Twitterverse With Worm Using Old, Known Bug

By Jennifer Welsh | September 22, 2010 12:31 pm

twitterYesterday’s Twitter meltdown was caused by a known flaw that resurfaced with the help of a 17-year-old Australian and a Scandinavian developer, among others.

The boy, Pearce Delphin, and the developer, Magnus Holm, discovered the JavaScript vulnerability, which allowed hackers to make other users launch various functions merely by mousing over links in tweets sent by the hackers. Instead of reporting the vulnerability to Twitter, Delphin tweeted it–and it caught on.

“I did it merely to see if it could be done … that JavaScript really could be executed within a tweet,” Delphin told AFP via email. “At the time of posting the tweet, I had no idea it was going to take off how it did. I just hadn’t even considered it.” [AFP]

Holm takes the credit for turning the vulnerability into a worm, by making it re-tweet itself, that propagated virally among Twitter.com users.

At first he thought the worm wouldn’t really do anything: “meh, this worm doesn’t really scale. the users can just delete the tweet :(” he wrote. Then within a few minutes he saw that it had started spreading virally. “holy shit. I think this is exponential: “3381 more results since you started searching,” he said – adding, a few minutes later “This is scary.” [The Guardian]

Many hackers got on the bandwagon, adapting the script so that anyone who moused over it automatically tweeted a bizarre message, or opened a pornographic website, covered the page in huge letters, or turned the whole page into a link  that re-tweeted the worm.

The interesting twist is that the vulnerability was previously reported to Twitter by Japanese developer Masato Kinugawa on August 14 and the site then promptly fixed. But a site update (which Twitter says is unrelated to the “new Twitter” launch and roll-outs) reversed the patch, making this script hackable again. Kinugawa even made a “Rainbow Twtr” account, now defunct, showing how the vulnerability could allowed him to change the color of his tweets.

The hack affected thousands of Twitter users, including the White House’s press secretary Robert Gibbs, who switched to using TweetDeck, as users of third-party applications weren’t affected by the bug.

Related content:
Discoblog: How To Make Your Twitter Followers Uneasy: Use ShadyURLs
Discoblog: It Has 3,700 Facebook Friends, 1,800 Twitter Followers, & It’s a Tree
80beats: Twitter’s New @anywhere Aims to Make the Web One Big, Tweeting Coop
DISCOVER: Twitter’s Greatest Hits—and Greatest Misses

Image: Flickr/Monkeyworks illustration

CATEGORIZED UNDER: Technology
  • Al-Sinbad Bercasio

    Nice!! I was actually affected by this so-called “mouseover hack” on Twitter. Every I accidentally hover my mouse over these tweets, the site immediately retweets them. As a result, I was also blocked from using Twitter for an hour because I “had too many status updates exceeded the maximum no. at a time.”

    Thanks for posting this. When I saw it on Twitter, I instantly opened the link to see what the was all about. Now I get it; I’m just really psyched that Twitter is not dysfunctional anymore. Tweeting is still FTW!! I don’t know what would happen w/o Twitter.

  • bill

    “I just hadn’t even considered it.”

    In a better world, such blindness would be the cause of scorn. In ours, he’ll probably be speaking to conferences and labeling himself a consultant.

  • blue

    “I don’t know what would happen w/o Twitter.”

    Yes, unfathomable, how could we possibly survive such a dystopian hell?

  • Jennifer Welsh

    Haha, great comments!

    Thanks all for reading and commenting. I guess in comparison to the person who exploited the weakness to make a worm AND sent it out into the Twitterverse, Delphin isn’t that bad.

    I guess if we had to live without Twitter, we would all just have to sell our souls to Zuckerberg.

    Jen

NEW ON DISCOVER
OPEN
CITIZEN SCIENCE
ADVERTISEMENT

Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

80beats

80beats is DISCOVER's news aggregator, weaving together the choicest tidbits from the best articles covering the day's most compelling topics.
ADVERTISEMENT

See More

ADVERTISEMENT
Collapse bottom bar
+

Login to your Account

X
E-mail address:
Password:
Remember me
Forgot your password?
No problem. Click here to have it e-mailed to you.

Not Registered Yet?

Register now for FREE. Registration only takes a few minutes to complete. Register now »