Collaboration SuitesSecuritySoftwareWorkspace

Three Tweeters Claim Twitter ‘Onmouseover’ Flaw

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Three different Twitter users claim to have first exploited the “onmousover” flaw, which is apparently a month old

Confusion surrounds the Twitter hack after an Australian teenager admitted to being the one responsible, but other reports said that a Japanese developer had discovered the flaw and reported it a month ago.

Twitter has since fully patched the flaw, which affected thousands of Twitter accounts. The problem came to light just one week after Twitter rolled out a major redesign of its site.

It then emerged that Twitter users began finding that they only had to place their mouse pointer over a message containing a link, for it to open a browser, without them clicking on the link, which then took them to porn websites. This is referred to as a “onmouseover” issue, and the JavaScript command was also reported to generate pop up messages.

The code exploited what is known as a cross-site scripting (XSS) vulnerability.

I Am Spartacus

According to various reports, a 17 year old Australian teenager Pearce Delphin, who lives with his parents in Melbourne and goes by the Twitter name of  @zzap, has admitted that he provided the code which exploited the onMouseOver JavaScript flaw. He apparently did this by tweeting the relevant code, which was then used by hackers to launch a large-scale attack on Twitter.

“I did it merely to see if it could be done … that JavaScript really could be executed within a tweet,” Delphin told AFP.  “At the time of posting the tweet, I had no idea it was going to take off how it did. I just hadn’t even considered it.”

The teen admitted his part in the origin of the exploit after a security firm called Netcraft tracked it back to him. He is apparently just a few weeks off graduating from high school and hopes to study law. He had not yet told his parents about the cyberstorm he’d created.

“I discovered a vulnerability, I didn’t create a self-replicating worm. As far as I know, that isn’t technically illegal,” he said. “Hopefully I won’t get in trouble!”

No, I Am Spartacus

But other reports offer a different view of the Twitter flaw.

According to the Guardian, the original discovery of the XSS hack was made by a Japanese developer called Masato Kinugawa. He said that he reported an XSS vulnerability to Twitter on 14 August- and then discovered that the “new” Twitter, launched on Tuesday 14 September, had the same problem.

He then set up a Twitter account called “Rainbow Twtr”, which showed how the XSS weakness could be used to make tweets turn into different colours. He did this at 10am BST (the afternoon in Japan, but at Twitter HQ on the West coast of the US it was the middle of the night, so nobody was watching for security flaws.)

Kinugawa’s idea was then spotted by others.

No I Am Spartacus

And yet another person also claimed to be behind the flaw, saying that he was the first Twitter member to exploit the flaw.

According to the New York Times, Norwegian programmer Magnus Holm, said that he created his exploit “because I wanted to experiment with the flaw. … The purpose was simply to see if it was possible to create a worm.”

Twitter for its part said in a blog post that the bug had been fixed last month, but was reintroduced by mistake, presumably by the site resdesign.