Twitter is Hacked Tuesday Morning- September 21 2010
Twitter was overrun with malicious posts on September 20 morning that used a programming flaw(like XSS) to play pranks, distribute porn and spread worms to unsuspecting users. XSS stands for cross site scripting which refers to web application flaws that enable hackers to inject scripts into web sites. The first worm or pranks was first launched in the Tuesday morning by Magnus Holm, a Norwegian Ruby programmer who uses the Twitter handle @judofyr. It contained only one link which had the embedded command “onmouseover”. It is a Java script command that caused the link to be automatically tweeted when the mouse cursor hovered onto it. The script in some cases also caused a user to forward the offending links virally to their followers and the rest of Twitter. Such worm turned the text into black blocks to hide the dangerous text. He told that he created such worm just to experiment with the flaw. Hence, it is clear that the worm is not voluntarily purposed to destroy anyone’s Twitter account. Rather it is simply an experiment. However, this programmer believed that his worm has already been spread to at least 200,000 users.
Among those pranks, one was on Sarah Brown, wife of the previous British Prime Minister, Gordon Brown. A link on her page redirected visitors to a hard-core Japanese porn site according to a blog by Graham Cluley, an expert at the security software maker Sophos. He further stated that there were tens of thousands of dodgy links circulating on Twitter accounts.
Another attack which entirely took over victims’ computer screen appears to have been started by a Twitter user called @Matsta. Matsta’s website contained the 1980s singer Rick Astley’s music video for “Never Gonna Give You Up” with an added message: “Rick is dancing because he just lost the game.” The Twitter since then disabled his Twitter account.
According to WhiteHat security, a web site security firm, cross-site scripting flaws exist in seven out of ten of all web sites. Hence to avoid such situation, the security experts at Twitter forwarded different remedies. They have recommended that Twitter users avoid such website and instead use a third-party Twitter client like TweetDeck to access the service. Also, using a JavaScript blocker such as NoScript ad-on for Firefox provides protections from such worms.
Later at 10:00 PM on the same day, the Twitter notified they have patched the XSS and fixed the problem.
No comments:
Post a Comment