This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/go/rss/int/news/-/news/technology-11382469
The article has changed 5 times. There is an RSS feed of changes available.
Version 1 | Version 2 |
---|---|
Twitter scrambles to block worms | Twitter scrambles to block worms |
(40 minutes later) | |
By Jonathan Fildes Technology reporter, BBC News | By Jonathan Fildes Technology reporter, BBC News |
Twitter has patched a flaw in its website that was being exploited to pump out pop-up messages and links to porn sites. | Twitter has patched a flaw in its website that was being exploited to pump out pop-up messages and links to porn sites. |
Initially, users only had to move their mouse over a message containing a link - not click it - to open it in the browser. | Initially, users only had to move their mouse over a message containing a link - not click it - to open it in the browser. |
The code was spread by worms, self-replicating, malicious pieces of code. | The code was spread by worms, self-replicating, malicious pieces of code. |
Thousands of users were caught out by the flaw, including Sarah Brown, the wife of the UK's former Prime Minister. | Thousands of users were caught out by the flaw, including Sarah Brown, the wife of the UK's former Prime Minister. |
"The exploit is fully patched," Twitter said on its status blog. | "The exploit is fully patched," Twitter said on its status blog. |
People using third-party Twitter software - such as Tweetdeck - were unaffected by the problem. | People using third-party Twitter software - such as Tweetdeck - were unaffected by the problem. |
The flaw comes just one week after Twitter rolled out a major redesign of its site. | |
'No regrets' | 'No regrets' |
The code exploited what is known as a cross-site scripting (XSS) vulnerability, a flaw in a website that can be exploited by relatively simple code. | The code exploited what is known as a cross-site scripting (XSS) vulnerability, a flaw in a website that can be exploited by relatively simple code. |
In the case of the most recent flaw, the command - written in a programming language called Javascript - automatically directed users to another website, some of which contained pornography. | In the case of the most recent flaw, the command - written in a programming language called Javascript - automatically directed users to another website, some of which contained pornography. |
The malicious links looked like a block of colour or a random URL that contained the code "onmouseover", which triggered when the cursor hovered over the link. | |
As well as directing users to websites and pop-ups, the code also sent a message from the infected user's account containing more code, essentially making the command self-replicating. | |
"There is no legitimate reason to tweet Javascript," Graham Cluley, a researcher at security firm Sophos, told BBC News. | "There is no legitimate reason to tweet Javascript," Graham Cluley, a researcher at security firm Sophos, told BBC News. |
The first self-replicating code, or worm, seems to have been written by a developer called Magnus Holm. | |
"I simply wanted to exploit the hole without doing any 'real' harm," he told BBC News. "It started off as 'ha, no way this is going to work'." | |
He said the flaw had been identified by others and had already been used for other means. | He said the flaw had been identified by others and had already been used for other means. |
"There were several other tiny hacks using the exploit - I only created the worm," he said. | "There were several other tiny hacks using the exploit - I only created the worm," he said. |
Mr Holm said he had seen his worm passed around in at least 200,000 messages. | |
Others soon copied his code using "other nasty or smart tricks" he said, including directing people to porn sites. | |
"It was only a matter of time before more serious worms started." | "It was only a matter of time before more serious worms started." |
However, he said he had no regrets and was "not sure" whether he would receive a call from Twitter. | However, he said he had no regrets and was "not sure" whether he would receive a call from Twitter. |
It is not the first time the service has suffered an attack. | It is not the first time the service has suffered an attack. |
In April 2009, another worm spread links to a rival site, again showing unwanted messages on infected user accounts. | In April 2009, another worm spread links to a rival site, again showing unwanted messages on infected user accounts. |
Mr Cluley said that Twitter needs "much tighter control" over what users can contain in a tweet to prevent similar problems in the future. | Mr Cluley said that Twitter needs "much tighter control" over what users can contain in a tweet to prevent similar problems in the future. |
He also warned users to continue to be on their guard, as once an exploit had been found there would be a raft of hackers looking for new ones or ways to circumvent the patch. | |
"We've seen it in the past," he said. "When Twitter says they have fixed a flaw, we see a new exploit again and again." |