Twitter application broadcasts unauthorised message

Twitter users who granted access to their accounts to the Grader application have begun tweeting a bizarre and unauthorised message.

According to Rik Ferguson, senior security advisor at Trend Micro, Grader is typically used to evaluate a user's ‘influence' on Twitter, but those who have allowed access to their accounts have begun sending a message that relates to Twitter founder Biz Stone promoting Twitter in 2006.

Ferguson said: "Fortunately, the link that has been endlessly tweeted by Grader users does not appear to host any malicious content. It points to a blog with an embedded YouTube video of Biz Stone back in 2006 promoting Twitter.

"The domain name of the destination site, however, might give us a clue to the motivation behind the attack. Seonix presumably refers to search engine optimisation and perhaps that is the real purpose of this attack. Forcing large numbers of Twitter users to tweet a link to the site may well be an effective method of pushing it up the search engine rankings. The domain seonix.org was created on the 11th February 2010 and the details of the owner have been anonymised."

He also pointed out that one of the victims of the attack was Dharmesh Shah, the founder of Grader. Grader is currently unavailable, but Shah posted an update on its sister site HubSpot claiming that a malicious user was able to post tweets impersonating Twitter Grader users that had authorised the application.

Shah said: "I spent much of the afternoon responding to people's tweets, letting them know about the problem and that we were working on it. Everybody's been super-understanding and patient."

He said that the incident was his fault as he was the "one that developed this particular feature that ended up getting hacked" and that he should have known better. He also claimed that HubSpot was shutting down several of the grader applications (not just Twitter Grader) and will be reactivating them on completely new servers with increased security.

Shah said: "The application and associated keys were disabled as soon as we discovered there was a problem and as it stands, no additional action is needed for users. Your username and password were not compromised - but it is never a bad idea to change your password periodically.

"We are working on a permanent resolution which will allow Twitter Grader to be available publicly again. Until this work is complete, neither Twitter Grader nor the Twitter Grader API will be available.

"My sincere apologies to all the users that were harmed by this security breach. This one really bothered me because all of you work hard to build trust, reputation and community on Twitter. These malicious tweets went out to your followers and compromised that trust. I really hate that I was responsible for that. And, to whoever it was that hacked in and sent out those tweets: that was not cool."

Ferguson said: "Message to users is: be aware and alert as to what you have and have not posted on Twitter. If you see a tweet that you know you did not post, please look where it came from (e.g. via an external service such as Gradar). If it has come from an external place, please make sure you revoke the permission to the application in your Twitter account."