Vic highschooler sparks Twitter’s onMouseOver woes

By Liz Tay on Sep 22, 2010 3:43 PM
Filed under Security

Javascript command used to distribute malware.

Australian teenager Pearce Delphin has been credited with discovering the onMouseOver scripting vulnerability that hit twitter.com last night.

Users were urged to switch to third-party clients as hackers used the 'onMouseOver' javascript command to insert malicious code into messages on the microblogging site.

Delphin said he discovered the vulnerability at around 8pm after seeing @RainbowTwtr use a CSS exploit to change the background colour of tweets.

"After I retweeted this, I analysed the code within the 'rainbow tweets' more carefully, and it became evident that one could use any javascript or HTML rather than just CSS," he told iTnews.

"Instead of just changing the appearance of a tweet, you could actually execute commands within the user's browser."

Delphin tested his theory by using the 'onMouseOver' command to generate a pop-up box that said: "uh oh".

The concept spread to his Twitter followers, and "within a matter of minutes, scripts had taken over my timeline", he said.

Curious of the exploit's potentials, Delphin was able to generate a dialog box containing data from the Twitter cookie file in users' browsers.

He noted that other hackers may be able to extract personal information - however, Twitter's 140-character limit also applied to malicious code.

The most malicious code, according to Delphin, was from @Matsta, whose script auto retweeted itself no matter where users moved their mouse within the Twitter window.

"I watched this very closely from the moment it was posted, and it had thousands of retweets within a minute of it being posted," he said.

"You could also write a script to get everyone to auto-follow your Twitter profile. However, I didn't actually see this executed, and I didn't attempt it on my account."

Twitter was notified of the exploit at 7.54am today (AEST), and claimed to have solved the problem within four hours.

The company claimed to have discovered and patched the issue last month, but "a recent site update - unrelated to new Twitter - unknowingly resurfaced it".

Delphin, who had the Twitter account @zzap since 2006, said Twitter's response was adequate, but "they could have handled it better".

"The fact that this vulnerability was omnipresent for hours, with no word from any Twitter staff prior to it being fixed, meant there was lots of confusion and distress within the Twitter community, and the security of the site was questioned," he said.

"Luckily when this vulnerability was first made public, it was apparently in the middle of the night in North America. The effects on Twitter had it been the middle of the day time there could have been a lot worse."

A self-proclaimed "English fanatic" Delphin was completing his VCE studies at Penleigh and Essendon Grammar School with software development and IT as subjects.

The seventeen-year-old said he sought work in security and journalism.

Vic highschooler sparks Twitter’s onMouseOver woes

6 comments in this discussion

"I stand with Ace and Mordd on this one. Ace even provided an example of "decency" by offering an excuse for his behavior. He didn't have to do that, but he did and that example was obviously lost ..."

By realitybites

Tags

twitter, javascript, xss, hack, vulnerability, onmouseover

Twitter hack heightens high-frequency trading fears

Dotcom's 2FA patent might be invalid: lawyers

Dotcom threatens to sue web giants over patent 'infringement'

Syrian hackers compromise FT website

Breaking Stories

Alacer Gold turns ERP refit project to Australia

NSW Govt bids for self-service analytics

NSW Police take aim at 3D-printable guns

Google faces new federal antitrust probe

US ISP to rip out Huawei equipment

Comments: 6

Mordd Sep 22, 2010 7:17 PM	He criticises Twitters response, but obviously took no effort to notify Twitter directly of the exploit, instead Tweeting it allowing users with malicious intent to "hijack" the code for their own use therefore causing all the drama. This little jerk should be held responsible for implementing the exploit seeing as he did nothing to notify twitter and everything to allow the exploit to instead spread. @ITNews I think you should have picked up on this in the article as well, shame on you for portraying him like some innocent victim.
RJ Sep 22, 2010 10:18 PM	It is not the responsibility of Victorian teenagers to look after twitter's security. I don't know where you got this bizarre idea from. Since you seem to be a blame hunter, he even points out that it was "RainbowTwitr" that demonstrated that the tweets were not being properly sanitised.
Ace Sep 23, 2010 12:01 PM	The guy was obviously technically aware of how to find and use the exploit. While there is no law, it is accepted practice to inform the owner (in this case Twitter), and allow a decent period of time for a fix to be applied before publishing your finding. His excuse would be that is a teenager - prone to bouts of stupidity. And @RJ, it's not a matter of being responsible for twitters security, it's simple human decency. I'm betting that if you found an easy way to break into the bank, and told everyone about it, you'd be arrested as an accomplice, even though you may not have committed the crime directly yourself.
RJ Sep 23, 2010 2:59 PM	"I'm betting that if you found an easy way to break into the bank, and told everyone about it, you'd be arrested as an accomplice, even though you may not have committed the crime directly yourself." That's because of the hysteria people get into when technology is involved with anything at all, not that it is correct and right. For example, if I were to discover that a certain door lock had a flaw in it and publicly disclosed this, that I automatically am responsible for all the house breakins? Wouldn't happen. Contacting them would have been a nice thing to do, but basic human decency? I wouldn't go that far. No one is oblidged to spend their own time cleaning up someone else's stuff up. It's not his job, nor is he getting paid. Lets face it, twitter is only in it for the money.. why should anyone else be any different?
Ace Sep 23, 2010 4:56 PM	The kids clearly went out of his way to ensure a problem became a major problem. He didn't have to do anything about the problem. He also didn't have to tell the world about it. But he did. BTW @RJ, you might indeed find yourself connected to break-ins of the house you advertised as being insecure. I don't know what you mean by 'all the house break-ins', or how that is even relevant.
realitybites Sep 23, 2010 5:14 PM	I stand with Ace and Mordd on this one. Ace even provided an example of "decency" by offering an excuse for his behavior. He didn't have to do that, but he did and that example was obviously lost on you RJ. "Lets face it, twitter is only in it for the money.. why should anyone else be any different?" I was under the impression the youth of today went out of their way to be different. Must be only when it suits them yeah?