Twitter came under attack on Tuesday as hackers exploited a security flaw to wreak havoc on the microblogging service.
Computer security firms said thousands of users, or more, were affected by the bug, which appears to send out or “re-tweet” messages simply by rolling over an infected link with the computer mouse.
Those hit by the bug included Sarah Brown, the wife of the former British prime minister who has over one million followers on Twitter, and White House press secretary Robert Gibbs.
“My Twitter went haywire – absolutely no clue why it sent that message or even what it is… paging the tech guys,” Gibbs wrote on @presssec.
Here are some tweets that came through Gibbs’s feed:
PressSec RT @doog_: http://t.co/@”onmouseover=”document.getElementById(‘status’).value=’RT doog_’;$(‘.status-update-form’).submit();”class=”modal …
PressSec RT @UchihaBlood: @anafree I really think something is seriously wrong with twitters servers they are running scripts directly frm the st …
The Hill adds that Rep. Rob Wittman’s (R-Va.) account was also attacked. A RAW STORY editor’s twitter account also retweeted the “doog” message.
Twitter said it had identified the attack and was working on a solution.
We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.
We expect the patch to be fully rolled out shortly and will update again when it is.
Update (6:50 PDT, 13:50 UTC): The exploit is fully patched.
“We expect the patch to be rolled out shortly and will update again when it is,” the San Francisco-based service said in a brief statement on its website.
Security expert Graham Cluley of computer security firm Sophos said the bug only affected users of the Twitter.com website, not third-party programs developed to access the popular microblogging service.
Cluley said the bug was allowing messages to pop-up and third-party websites to open in a Web browser including links to pornography sites.
He said that in Sarah Brown’s case her “Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan.”
“It looks like many users are currently using the flaw for fun and games,” Cluley said.
“But there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed,” he said. “Hopefully Twitter will shut down this loophole as soon as possible.”
The infected links look like regular messages, or “tweets,” but contain lines of random computer code or are completely blacked out like a message that has been redacted.
Twitter, which allows users to pepper one another with messages of 140 characters or less, has over 145 million registered users, co-founder Evan Williams said recently.
At the Examiner, Michael Santo warns, “Though Twitter has reported that it has fully closed the hole which, one would assume, would mean that the patch has propagated through the cloud, it might be good to only access the site via third party apps like TweetDeck and others. You wouldn’t want to end up like Julie Amero, who was brought to trial as a result of a computer that was infected with spyware and DNS hijacking software popping up pornographic images in a classroom. She was convicted, the conviction overturned, but eventually she pleaded guilty to a single charge of disorderly conduct, forfeiting her teaching credentials and paying a $100 fine.”
(with additional reporting by AFP)
Ex-Pompeo adviser agrees to testify to impeachment investigators after resigning: report
On Monday, Politico's Andrew Desiderio reported that Michael McKinley, a former ambassador to Secretary of State Mike Pompeo, has agreed to testify behind closed doors to House Democrats leading the impeachment investigation against President Donald Trump:
NEWS: Former Pompeo adviser Michael McKinley, who resigned last week, will testify in closed session on Wednesday before House impeachment investigators, according to an official working on the inquiry.
— Andrew Desiderio (@AndrewDesiderio) October 14, 2019
Here’s why Rudy Giuliani can not legitimately claim to be Donald Trump’s lawyer
Former New York City Mayor Rudy Giuliani bills himself as President Donald Trump's attorney. But one former prosecutor explained why that is not an accurate description during a Monday appearance on MSNBC.
"Meet the Press Daily" anchor Katy Tur interviewed former Southern District of New York Assistant U.S. Attorney Mimi Rocah, who is a distinguished fellow in criminal justice at Pace Law School.
"So this news that the SDNY is looking into what Rudy Giuliani was doing overseas in Ukraine, explain what they’re doing. Also, very weird since Giuliani used to run the office," Tur noted.
Rudy Giuliani’s bank records part of investigation by federal prosecutors: report
On Monday, the Wall Street Journal reported that President Donald Trump's attorney Rudy Giuliani is having his banking records scrutinized as part of the federal criminal investigation into his dealings in the Ukraine.
The report says that prosecutors are also looking into his work for a city mayor in the country.
Giuliani has been a central figure in Trump's apparent scheme to extort the Ukrainian president into helping him dig up dirt on former Vice President Joe Biden, holding military aid appropriated by Congress hostage until the country investigates "corruption."