Vic highschooler sparks Twitter’s onMouseOver woes

Javascript command used to distribute malware.

Australian teenager Pearce Delphin has been credited with discovering the onMouseOver scripting vulnerability that hit twitter.com last night.

Users were urged to switch to third-party clients as hackers used the 'onMouseOver' javascript command to insert malicious code into messages on the microblogging site.

Delphin said he discovered the vulnerability at around 8pm after seeing @RainbowTwtr use a CSS exploit to change the background colour of tweets.

"After I retweeted this, I analysed the code within the 'rainbow tweets' more carefully, and it became evident that one could use any javascript or HTML rather than just CSS," he told iTnews.

"Instead of just changing the appearance of a tweet, you could actually execute commands within the user's browser."

Delphin tested his theory by using the 'onMouseOver' command to generate a pop-up box that said: "uh oh".

The concept spread to his Twitter followers, and "within a matter of minutes, scripts had taken over my timeline", he said.

Curious of the exploit's potentials, Delphin was able to generate a dialog box containing data from the Twitter cookie file in users' browsers.

He noted that other hackers may be able to extract personal information - however, Twitter's 140-character limit also applied to malicious code.

The most malicious code, according to Delphin, was from @Matsta, whose script auto retweeted itself no matter where users moved their mouse within the Twitter window.

"I watched this very closely from the moment it was posted, and it had thousands of retweets within a minute of it being posted," he said.

"You could also write a script to get everyone to auto-follow your Twitter profile. However, I didn't actually see this executed, and I didn't attempt it on my account."

Twitter was notified of the exploit at 7.54am today (AEST), and claimed to have solved the problem within four hours.

The company claimed to have discovered and patched the issue last month, but "a recent site update - unrelated to new Twitter - unknowingly resurfaced it".

Delphin, who had the Twitter account @zzap since 2006, said Twitter's response was adequate, but "they could have handled it better".

"The fact that this vulnerability was omnipresent for hours, with no word from any Twitter staff prior to it being fixed, meant there was lots of confusion and distress within the Twitter community, and the security of the site was questioned," he said.

"Luckily when this vulnerability was first made public, it was apparently in the middle of the night in North America. The effects on Twitter had it been the middle of the day time there could have been a lot worse."

A self-proclaimed "English fanatic" Delphin was completing his VCE studies at Penleigh and Essendon Grammar School with software development and IT as subjects.

The seventeen-year-old said he sought work in security and journalism.