facebook rss twitter

Twitter victim of ‘onmouseover’ hole

by Sarah Griffiths on 21 September 2010, 16:58

Tags: Twitter

Quick Link: HEXUS.net/qaz5x

Add to My Vault: x

Twitter attack

Twitter has patched a fault in its website that was being used by unscrupulous individuals to spew out links to porn sites and pop-up messages.

Unsuspecting users only had to move their mouse over a message containing a link to open the third party site or pop-up- not even having to click on it.

Apart from being really annoying, security firm Sophos said messages were spreading virally to exploit the micro blogging site's vulnerability without the consent of its users as the code was passed on by worms.

Thousands of unsuspecting Twitter accounts are believed to have posted messages exploiting the flaw including celebs like the former PM's wife, Sarah Brown.

She reportedly caught on pretty quickly posting: "Don't touch the earlier tweet - this twitter feed has something very odd going on! Sarah," as her page is believed to have been altered to try and direct visitors to a porn site in Japan.

According to the BBC, the code took advantage of an XSS vulnerability so a Javascript command automatically directed users to another website.

The links reportedly looked like a random URL or block of colour containing the code ‘onmouseover' which sent people to the desired site if their mouse touched it. However, in a cunning twist, it also sent a message to a user's account with yet more code, creating a self-replicating code.

The BBC said the first worm seems to have been written by a developer called Magnus Holm for fun and games but was hijacked for more worrying uses.

"I simply wanted to exploit the hole without doing any 'real' harm. It started off as 'ha, no way this is going to work'. There were several other tiny hacks using the exploit - I only created the worm," he reportedly said.

However, he warned that it was "a matter of time before more serious worms started," but added he did not regret his actions.