Vic highschooler sparks Twitter’s onMouseOver woes

Powered by SC Magazine
 

Javascript command used to distribute malware.

Australian teenager Pearce Delphin has been credited with discovering the onMouseOver scripting vulnerability that hit twitter.com last night.

Users were urged to switch to third-party clients as hackers used the 'onMouseOver' javascript command to insert malicious code into messages on the microblogging site.

Delphin said he discovered the vulnerability at around 8pm after seeing @RainbowTwtr use a CSS exploit to change the background colour of tweets.

"After I retweeted this, I analysed the code within the 'rainbow tweets' more carefully, and it became evident that one could use any javascript or HTML rather than just CSS," he told iTnews.

"Instead of just changing the appearance of a tweet, you could actually execute commands within the user's browser."

Delphin tested his theory by using the 'onMouseOver' command to generate a pop-up box that said: "uh oh".

The concept spread to his Twitter followers, and "within a matter of minutes, scripts had taken over my timeline", he said.

Curious of the exploit's potentials, Delphin was able to generate a dialog box containing data from the Twitter cookie file in users' browsers.

He noted that other hackers may be able to extract personal information - however, Twitter's 140-character limit also applied to malicious code.

The most malicious code, according to Delphin, was from @Matsta, whose script auto retweeted itself no matter where users moved their mouse within the Twitter window.

"I watched this very closely from the moment it was posted, and it had thousands of retweets within a minute of it being posted," he said.

"You could also write a script to get everyone to auto-follow your Twitter profile. However, I didn't actually see this executed, and I didn't attempt it on my account."

Twitter was notified of the exploit at 7.54am today (AEST), and claimed to have solved the problem within four hours.

The company claimed to have discovered and patched the issue last month, but "a recent site update - unrelated to new Twitter - unknowingly resurfaced it".

Delphin, who had the Twitter account @zzap since 2006, said Twitter's response was adequate, but "they could have handled it better".

"The fact that this vulnerability was omnipresent for hours, with no word from any Twitter staff prior to it being fixed, meant there was lots of confusion and distress within the Twitter community, and the security of the site was questioned," he said.

"Luckily when this vulnerability was first made public, it was apparently in the middle of the night in North America. The effects on Twitter had it been the middle of the day time there could have been a lot worse."

A self-proclaimed "English fanatic" Delphin was completing his VCE studies at Penleigh and Essendon Grammar School with software development and IT as subjects.

The seventeen-year-old said he sought work in security and journalism.

Copyright © iTnews.com.au . All rights reserved.


Vic highschooler sparks Twitter’s onMouseOver woes
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1797

Vote
Do you support the abolition of the Office of the Information Commissioner?