Twitter scrambles to block worms

By Jonathan Fildes
Technology reporter, BBC News

  • Published
SarahBrown Twitter
Image caption,
Sarah Brown, wife of former PM Gordon Brown, was one of those affected

Twitter has patched a flaw in its website that was being exploited to pump out pop-up messages and links to porn sites.

Initially, users only had to move their mouse over a message containing a link - not click it - to open it in the browser.

The code was spread by worms, self-replicating, malicious pieces of code.

Thousands of users were caught out by the flaw, including Sarah Brown, the wife of the UK's former Prime Minister.

"This issue is now resolved. We apologise to those who may have encountered it," wrote Bob Lord, security chief at the firm, in a blog post.

"Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts."

The firm said there was no need for users to change their passwords "because user account information was not compromised".

People using the mobile web site or third-party Twitter software - such as Tweetdeck - were unaffected by the bug.

The flaw comes just one week after Twitter rolled out a major redesign of its site.

'No regrets'

The code exploited what is known as a cross-site scripting (XSS) vulnerability, a flaw in a website that can be exploited by relatively simple code.

In the case of the most recent incident, the command - written in a programming language called Javascript - automatically directed users to another website, some of which contained pornography.

The malicious links looked like a block of colour or a random URL that contained the code "onmouseover", which triggered when the cursor hovered over the link.

"Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge," wrote Mr Lord.

The first self-replicating code, or worm, seems to have been written by a developer called Magnus Holm.

"I simply wanted to exploit the hole without doing any 'real' harm," he told BBC News. "It started off as 'ha, no way this is going to work'."

He said the flaw had been identified by others and had already been used for other means.

"There were several other tiny hacks using the exploit - I only created the worm," he said.

Mr Holm said he had seen his worm passed around in at least 200,000 messages.

Others soon copied his code using "other nasty or smart tricks" he said, including directing people to porn sites.

"It was only a matter of time before more serious worms started."

A Twitter user called Matsta appeared to have spread one variant. Their account has now been suspended.

Mr Holm said he had no regrets about his actions and was "not sure" whether he would receive a call from Twitter.

It is not the first time the service has suffered an attack.

In April 2009, another worm spread links to a rival site, again showing unwanted messages on infected user accounts.

Graham Cluley, a researcher at security firm Sophos, told BBC News that Twitter needs "much tighter control" over what users can put in a tweet to prevent similar problems in the future.

He also warned users to continue to be on their guard, as once an exploit had been found there would be a raft of hackers looking for new ones or ways to circumvent the patch.

"We've seen it in the past," he said. "When Twitter says they have fixed a flaw, we see a new exploit again and again."

Around the BBC

Related Internet Links

The BBC is not responsible for the content of external sites.