Twitter was rendered nearly useless this morning by a handful of unusual hacks that affected users who access the service on Twitter.com. Each of the "worm" hacks worked in the same fundamental way. The worm's originator would send a tweet composed of JavaScript code. Other Twitter users, simply by moving their mouse over the offending tweet, would activate the code. Sometimes this code would simply render the text on the page into an unreadable giant red font, sometimes it would do something more malicious like send the user to a pornography website. Whatever the effect, the code would also force the victim's Twitter account to send out an entirely new copy of the tweet, spreading more mayhem as the number of affected users multiplied rapidly. What allowed this happen? What's the fallout?

I just started a Twitter wormless than a minute ago via web

  • The Norwegian Programmer Who Started This  The New York Times' Riva Richmond reports, "The first worm of this kind appears to have been launched Tuesday morning by Magnus Holm, a Norwegian Ruby programmer who uses the Twitter handle @judofyr. ... In an e-mail, Mr. Holm said he created the worm 'because I wanted to experiment with the flaw,' which he says was already being exploited by others. 'The purpose was simply to see if it was possible to create a worm.' His worm turned the text in the post into black blocks to hide the dangerous text. Mr. Holm said his worm spread to at least 200,000 users. ... Mr. Holm described his worm as 'harmless,' but it appears to have inspired more malicious attacks by others."
  • Twitter's Gaping Security Hole  Ars Technica's Peter Bright explains the now-fixed flaw. "Generally, Web applications that incorporate text from untrusted sources should ensure that text is safe before displaying it to people. Today's flaw was a result of a failure to do that correctly. The twitter.com website converts URLs in tweets into clickable hyperlinks. However, if that URL contained an 'at' symbol (@), the conversion process was not handled properly, converting part of the URL into JavaScript embedded into the page. Because this JavaScript is embedded in pages on twitter.com, it has free and unfettered access to other website features, including the ability to send tweets. This allows embedded JavaScript to propagate itself further, hence forming the basis of today's worms that saw many tens of thousands of tweets sent automatically."
  • Could Have Gotten Much Worse  Computer security expert Graham Cluley warned while the problem was still ongoing, "It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed."
  • Not Twitter's First--Or Last--Worm Attack  BBC's Jonathan Fildes writes, "It is not the first time the service has suffered an attack. In April 2009, another worm spread links to a rival site, again showing unwanted messages on infected user accounts. Mr Cluley said that Twitter needs 'much tighter control' over what users can contain in a tweet to prevent similar problems in the future. ... 'We've seen it in the past,' he said. 'When Twitter says they have fixed a flaw, we see a new exploit again and again.'"
  • Robert Gibbs, Sarah Brown Both Hit  In a demonstration of social media's power as a great leveler, both White House Press Secretary Robert Gibbs and Sarah Brown, wife of former U.K. Prime Minister Gordon Brown, fell victim to one of the Twitter worms.

My Twitter went haywire - absolutely no clue why it sent that message or even what it is...paging the tech guys...less than a minute ago via web


don't touch the earlier tweet - this twitter feed has something very odd going on ! Sarahless than a minute ago via web


don't know what everyone else got, but my bug sent me an advert for a weight loss program - as if that would work!less than a minute ago via TweetDeck