Yesterday morning Security experts Sophos put out a message saying that twitter was being exploited by users that had figured out how to use a flaw to allow messages to pop-up and other sites to open in your browser window. In some cases users were redirected to a hardcore porn site in Japan.
It was originally reported that the code started @RainbowTwtr and that it was best not to visit the user. Then According to blogger Espen Antonsen a twitter user @judofry wanted to change the anchor background to black. Yet on his next tweet he added some mouseover code and all hell broke loose. 40,000 tweets in 10 minutes. (That's me on a weekend when watching xfactor)
The latest from Mashable is that a 17-year-old from Australia is laying claim to accidentally setting off the events, Pearce Delphin said he noticed the flaw when he simply added some code to a tweet and it allowed for a pop up to appear on mouseover. Masato Kinugawa a developer from Japan has stated that he reported the cross-site scripting vulnerability to twitter back in August, of which Twitter patched. He then discovered he was able to run the code again. He then created the above mentioned account, @RainbowTwtr , to proove it could still be exploited.
Twitter's blog said that it was notified of the breach at 4:54a.m, they realised the problem was being caused by "cross-site scripting" In short, a piece of code that allowed users to run javascript programs on other computers that would turn tweets different colours or cause pop-up boxes to appear in browsers.
In some cases users added code to allow for retweets without users knowing. This happend to me on one of my twitter accounts, for some reason my code was creating a giant blue letter H on the screen. Then I started seeing a load of tweets with dodgy code. First thought was to delete the tweets on the twitter page, after noticing the onmouseover code I carefully moved my mouse down to "delete" and removed the tweet. Just as a test I refreshed the page and there it was again. Luckily the exploitation wasn't effective in tweet deck and I managed to sort things out.
Later in the day twitter announced via their status updates the were on the case and patching the problem, then later announced it was fully patched and all was well.
Twitter's blog now explains what the whole thing was about and that the majority of these exploits fell under fell under the prank or promotional categories. Passwords don't need to be changed as no user account information was compromised.
I'm thinking that this could have been the makings of a horrible ad mechanic for twitter. Colour coded tweets to 'warn' users that the tweet has mouseover code or remove mouseovers and allow for clickable pop outs. Instead of promoted tweets, twitter charges you to add a little flash file, video, microsite popup or auto retweeting of a brands message within a simple tweet. I'm thinking that for about 12 hours yesterday every credit check, porn site, penis enlargement company and that bloke in Nigeria with the millions in his frozen account were pretty excited, only to have their next great marketing strategy taken away from them.
No comments:
Post a Comment