Vic highschooler sparks Twitter’s onMouseOver woes

Powered by SC Magazine

Javascript command used to distribute malware.

Australian teenager Pearce Delphin has been credited with discovering the onMouseOver scripting vulnerability that hit last night.

Users were urged to switch to third-party clients as hackers used the 'onMouseOver' javascript command to insert malicious code into messages on the microblogging site.

Delphin said he discovered the vulnerability at around 8pm after seeing @RainbowTwtr use a CSS exploit to change the background colour of tweets.

"After I retweeted this, I analysed the code within the 'rainbow tweets' more carefully, and it became evident that one could use any javascript or HTML rather than just CSS," he told iTnews.

"Instead of just changing the appearance of a tweet, you could actually execute commands within the user's browser."

Delphin tested his theory by using the 'onMouseOver' command to generate a pop-up box that said: "uh oh".

The concept spread to his Twitter followers, and "within a matter of minutes, scripts had taken over my timeline", he said.

Curious of the exploit's potentials, Delphin was able to generate a dialog box containing data from the Twitter cookie file in users' browsers.

He noted that other hackers may be able to extract personal information - however, Twitter's 140-character limit also applied to malicious code.

The most malicious code, according to Delphin, was from @Matsta, whose script auto retweeted itself no matter where users moved their mouse within the Twitter window.

"I watched this very closely from the moment it was posted, and it had thousands of retweets within a minute of it being posted," he said.

"You could also write a script to get everyone to auto-follow your Twitter profile. However, I didn't actually see this executed, and I didn't attempt it on my account."

Twitter was notified of the exploit at 7.54am today (AEST), and claimed to have solved the problem within four hours.

The company claimed to have discovered and patched the issue last month, but "a recent site update - unrelated to new Twitter - unknowingly resurfaced it".

Delphin, who had the Twitter account @zzap since 2006, said Twitter's response was adequate, but "they could have handled it better".

"The fact that this vulnerability was omnipresent for hours, with no word from any Twitter staff prior to it being fixed, meant there was lots of confusion and distress within the Twitter community, and the security of the site was questioned," he said.

"Luckily when this vulnerability was first made public, it was apparently in the middle of the night in North America. The effects on Twitter had it been the middle of the day time there could have been a lot worse."

A self-proclaimed "English fanatic" Delphin was completing his VCE studies at Penleigh and Essendon Grammar School with software development and IT as subjects.

The seventeen-year-old said he sought work in security and journalism.

Copyright © . All rights reserved.

Vic highschooler sparks Twitter’s onMouseOver woes
Top Stories
Parliament passes law to let ASIO tap entire internet
Greens effort to limit devices fails.
Business-focused Windows 10 brings back the Start menu
Microsoft skips 9 for the "greatest enterprise platform ever".
Feeling Shellshocked?
Stay up to date with patching for the Bash bug.
Sign up to receive iTnews email bulletins
Latest Comments
Which is the most prevalent cyber attack method your organisation faces?

   |   View results
Phishing and social engineering
Advanced persistent threats
Unpatched or unsupported software vulnerabilities
Denial of service attacks
Insider threats