Twitter Rolls Out Fix for Security Flaw

Reported hack exploited thousands of accounts

Twitter has patched a security flaw that allowed thousands of accounts to be exploited, sending automated Tweets and redirecting users to websites without their consent.

The vulnerability, which only affected the Twitter.com interface, allowed users to insert a piece of JavaScript code into a tweet, creating pop-up windows and auto-tweets when users hovered their mouse over a link. In effect, users "clicked" and shared a link when they hovered over it.

Twitter initially resolved this issue back in August, but a recent update to the site "unknowingly resurfaced it," according to a post on the company blog Tuesday afternoon.

The issue was first made public by Sophos, a company that makes web security software, in a blog post early Tuesday morning after a number of high-profile Twitter accounts were affected by the bug. The site points out that initially the flaw had been used only for "fun and games," redirecting users to porn sites rather than exposing them to malware.

Twitter made a similar point in their blog post, "The vast majority of exploits related to this incident fell under the prank or promotional categories."

Among the high-profile victims is Press Secretary Robert Gibbs. After an auto-tweet appeared on his account, Gibbs posted, "My Twitter went haywire - absolutely no clue why it sent that message or even what it is...paging the tech guys..."

The folks over at ReadWriteWeb and Tech Crunch point to user Judofyr as exposing the vulnerability.

"I simply wanted to exploit the hole without doing any 'real' harm," he said in an interview with BBC News. "It started off as 'ha, no way this is going to work'."

Earlier in the day Judofyr tweeted, "as far as I know, I started the first worm, but I can't say for sure," but he claimed to have found the flaw on rainbowtwtr's account, adding "I only came up with the idea to turn it into a worm."

That worm was spread through at least 200,000 messages, according to BBC News.

 For the tech junkies out there, The Next Web offers a more in-depth explanation of the cross-site scripting vulnerability.

Contact Us