Teen exposes flaw in twitter: Sparks hacker activity

23 September,2010 08:44 AM IST |   |  Agencies

An Australian teen has caused havoc on Twitter by discovering an exploit that hit thousands of users, including US President Barack Obama's press secretary, and resulted in the tweets of a former British PM's wife linking to hardcore porn


An Australian teen has caused havoc on Twitter by discovering an "exploit" that hit thousands of users, including US President Barack Obama's press secretary, and resulted in the tweets of a former British PM's wife linking to hardcore porn.

Not so tweet: Twitter CEO Evan Williams and Pearce Delphin

Melbourne student Pearce Delphin, 17, triggered the Twitter scare by testing computer code that opened alert boxes in web browsers saying "uh oh" when a user hovered over infected messages or tweets, with their mouse.


But later, some mischievous users of the site started using the exploit to make people "retweet" infected messages (when they hovered over a tweet with the code inserted) that they had not authorised.

Twitter engineers were pressed into finding a fix for the exploit within hours of it being discovered.

Pearce, who is studying year 12 at Penleigh and Essendon Grammar School, said that he was surprised that "so many famous people got infected". He said it was Twitter's responsibility, not his, to keep the site secure.

"When one considers entities like the White House, you don't expect someone to actually be sitting there refreshing the Twitter home page and mousing over links from whoever they're following," he said. "I guess regardless of power or fame, on the internet you have to be as careful as everyone else about security risks; this is one of the few areas that affects everyone on an equal scale."

News site Netcraft said it appeared as though Pearce found the exploit by looking at another Twitter page that took advantage of a similar exploit.

Pearce confirmed this, however, there has been some confusion over who first created certain parts of the exploit. He said it was first discovered by Twitter user @kinugawamasato, who changed the colour of tweets. Pearce was then the "first person to report the Javascript vulnerability", he said, which made alert boxes appear when users hovered over tweets.

Twitter user @judofyr was then the first one to create a self replicating retweet worm by accident, he said, while some New Zealand Twitter users used the vulnerability to create a malevolent worm deliberately.

"I analysed the code within these 'rainbow tweets' more carefully, and it became evident that you could use any Javascript or HTML (code)u00a0 rather than just CSS (code)u00a0 -- which meant that instead of just changing the appearance of the tweet, you could actually execute commands within the user's browser."

He said that after he started noticing the exploit, some of his followers "realised the power" of the vulnerability, "and within a matter of minutes scripts had taken over my (Twitter) timeline".

He said he gained an extra 130 followers from tweeting about the exploit.

"In all the four years of using Twitter, this is the first time I recall a security hole spreading at the rate it did."
More seriously, he added: "I guess I have gained knowledge of how easy information can spread throughout social media networks. Literally moments after I had tweeted theu00a0... script, I had dozens of replies in shock, questioning how I managed to do that."

Asked whether he thought it was irresponsible to discover and then tweet the exploit he had found, he said: "The situation could have been handled better if Twitter had been notified of theu00a0... exploit."

Security expert Graham Cluley of computer security firm Sophos said the bug only affected users of the Twitter.com website and not third-party programs developed to access the popular microblogging service.

Twitter, which allows users to pepper one another with messages of 140 characters or less, has more than 145 million registered users, co-founder Evan Williams said recently.
"Exciting news! Mid-day is now on WhatsApp Channels Subscribe today by clicking the link and stay updated with the latest news!" Click here!
Twitter scare hacker activity Australian teen Pearce Delphin