Twitter Rolls Out Fix for Security Flaw

Reported hack exploited thousands of accounts

By Lauren Bertolini
|  Tuesday, Sep 21, 2010  |  Updated 10:48 AM PDT
View Comments (
)
|
Email
|
Print
Weird News Photos: Holiday Edition

Getty Images

LONDON - JULY 02: In this photo illustration the Twitter website is displayed on a laptop computer on July 2, 2009 in London. The social network site, started in 2006 in California as a sideline project, has grown into a global brand becoming one of the fastest growing phenomenas of the Internet. (Photo by Peter Macdiarmid/Getty Images)

Photos and Videos
More Photos and Videos

Twitter has patched a security flaw that allowed thousands of accounts to be exploited, sending automated Tweets and redirecting users to websites without their consent.

The vulnerability, which only affected the Twitter.com interface, allowed users to insert a piece of JavaScript code into a tweet, creating pop-up windows and auto-tweets when users hovered their mouse over a link. In effect, users "clicked" and shared a link when they hovered over it.

Twitter initially resolved this issue back in August, but a recent update to the site "unknowingly resurfaced it," according to a post on the company blog Tuesday afternoon.

The issue was first made public by Sophos, a company that makes web security software, in a blog post early Tuesday morning after a number of high-profile Twitter accounts were affected by the bug. The site points out that initially the flaw had been used only for "fun and games," redirecting users to porn sites rather than exposing them to malware.

Twitter made a similar point in their blog post, "The vast majority of exploits related to this incident fell under the prank or promotional categories."

Among the high-profile victims is Press Secretary Robert Gibbs. After an auto-tweet appeared on his account, Gibbs posted, "My Twitter went haywire - absolutely no clue why it sent that message or even what it is...paging the tech guys..."

The folks over at ReadWriteWeb and Tech Crunch point to user Judofyr as exposing the vulnerability.

"I simply wanted to exploit the hole without doing any 'real' harm," he said in an interview with BBC News. "It started off as 'ha, no way this is going to work'."

Earlier in the day Judofyr tweeted, "as far as I know, I started the first worm, but I can't say for sure," but he claimed to have found the flaw on rainbowtwtr's account, adding "I only came up with the idea to turn it into a worm."

That worm was spread through at least 200,000 messages, according to BBC News.

 For the tech junkies out there, The Next Web offers a more in-depth explanation of the cross-site scripting vulnerability.

Get the latest headlines sent to your inbox!
View Comments (
)
|
Email
|
Print
Leave Comments
Bay Area Proud
Bay Area Proud is NBC Bay... Read more
Follow Us
Sign up to receive news and updates that matter to you.
Send Us Your Story Tips
Check Out