Twitter came under attack on Tuesday as hackers exploited a security flaw to wreak havoc on the microblogging service.
Computer security firms said thousands of users, or more, were affected by the bug, which appears to send out or “re-tweet” messages simply by rolling over an infected link with the computer mouse.
Those hit by the bug included Sarah Brown, the wife of the former British prime minister who has over one million followers on Twitter, and White House press secretary Robert Gibbs.
“My Twitter went haywire – absolutely no clue why it sent that message or even what it is… paging the tech guys,” Gibbs wrote on @presssec.
Here are some tweets that came through Gibbs’s feed:
PressSec RT @doog_: //t.co/@”onmouseover=”document.getElementById(‘status’).value=’RT doog_’;$(‘.status-update-form’).submit();”class=”modal …
PressSec RT @UchihaBlood: @anafree I really think something is seriously wrong with twitters servers they are running scripts directly frm the st …
The Hill adds that Rep. Rob Wittman’s (R-Va.) account was also attacked. A RAW STORY editor’s twitter account also retweeted the “doog” message.
Twitter said it had identified the attack and was working on a solution.
We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.
We expect the patch to be fully rolled out shortly and will update again when it is.
Update (6:50 PDT, 13:50 UTC): The exploit is fully patched.
“We expect the patch to be rolled out shortly and will update again when it is,” the San Francisco-based service said in a brief statement on its website.
Security expert Graham Cluley of computer security firm Sophos said the bug only affected users of the Twitter.com website, not third-party programs developed to access the popular microblogging service.
Cluley said the bug was allowing messages to pop-up and third-party websites to open in a Web browser including links to pornography sites.
He said that in Sarah Brown’s case her “Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan.”
“It looks like many users are currently using the flaw for fun and games,” Cluley said.
“But there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed,” he said. “Hopefully Twitter will shut down this loophole as soon as possible.”
The infected links look like regular messages, or “tweets,” but contain lines of random computer code or are completely blacked out like a message that has been redacted.
Twitter, which allows users to pepper one another with messages of 140 characters or less, has over 145 million registered users, co-founder Evan Williams said recently.
At the Examiner, Michael Santo warns, “Though Twitter has reported that it has fully closed the hole which, one would assume, would mean that the patch has propagated through the cloud, it might be good to only access the site via third party apps like TweetDeck and others. You wouldn’t want to end up like Julie Amero, who was brought to trial as a result of a computer that was infected with spyware and DNS hijacking software popping up pornographic images in a classroom. She was convicted, the conviction overturned, but eventually she pleaded guilty to a single charge of disorderly conduct, forfeiting her teaching credentials and paying a $100 fine.”
(with additional reporting by AFP)