Twitter was hit by a bug yesterday that sent malicious links without user permission.
Tweets contained no message other than a goo.gl shortened link (Google's equivalent to bit.ly or tinyurl) that pointed to a URL that ended with ‘m28sx.html'. Graham Cluley, senior technology consultant at Sophos, said that if you clicked on one of the links you were ultimately taken to a website that asked you to download a fake anti-virus. Sophos has detected the malware as Troj/FakeAV-CMG.
Del Harvey of Twitter's security team initially said that ‘"all signs point to the compromise being due to weak passwords" and encouraged users not to install ‘Security Shield' rogue anti-virus. She later confirmed the problem and said that the website is removing the dangerous links and resetting the passwords of compromised accounts.
Mikko Hypponen, CSO of F-Secure, commented on his Twitter feed that he was "seeing weird links being posted...could be some sort of a worm" and said to watch out for messages that only have one goo.gl link and nothing else. He later confirmed that this was a new Twitter worm that was spreading. He said: “Shows up as messages from your friends that only contain one goo.gl link and nothing else.”
He later said that the ‘m28sx' Twitter worm attack was over, as an IP address in the UK [220.127.116.11] needed by the worm was down. He said that it was "effective while it lasted".
“Interestingly, all of the offending Twitter messages examined by Sophos so far claim to have been posted by ‘Mobile Web' (Twitter's ‘lite' interface for generic mobile phone users) rather than users' normal clients such as Tweetdeck or Twitter for iPhone,” Cluley said.
“What is not yet clear is how the Twitter users found their accounts compromised in this way. The natural suspicion would be that their usernames and passwords have been stolen. It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately.”