Twitter Worm Timeline: Exploit Erased Early, Damage Minimized

Twitter is attempting to move past its security breakdown, saying in a blog post that the bug that led to a series of worms on its site had been fixed last month but was reintroduced by mistake.

Twitter’s security team was scrambling yesterday when the flaw opened the door to all kinds of apparently harmless mischief by its more tech-savvy members. One of the worms attempted to redirect users to a Japanese hardcore site; another sent gibberish out to 100,000 followers of the White House Press secretary.

Here’s how events unfolded during the day. (The times are in Eastern Time.)

5:24 a.m. A security hole is discovered at the old Twitter site. (The new site was unaffected by the bug.) It uses a flaw commonly exploited by hackers at websites called Cross-site Scripting (XSS). Twitter had previously patched the defect, but the patch was undone when the site was recently updated.

5:54 a.m. Twitter’s website administrators become aware of the flaw.

7:41 a.m. Malware fighters at Kapersky Labs release a preliminary analysis of the situation at Twitter. “From my first preliminary analysis, you’ll have to hover over a link to activate it and so far I have just seen some proof of concepts from people I follow,” writes analyst Georg ‘oxff’ Wicherski. “However, this vulnerability looks at least semi-wormable, so better turn JavaScript off on Twitter for now!”

7:57 a.m. Antivirus sofware maker Sophos reports that the infection is spreading and has even reached Sarah Brown, the wife of Britain’s prime minister. “It appears that in Sarah Brown’s case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan,” writes analyst Graham Cluley. “That’s obviously bad news for her followers – over one million of them.”

10:23 a.m. Twitter reports that the flaw has been patched and “hover” problem remedied. “The vast majority of exploits related to this incident fell under the prank or promotional categories,” the company writes in a blog. “Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.”

11:40 a.m. Details of hacks continue to surface. The first Twitter member to exploit the Twitter flaw is a Norwegian programmer, Magnus Holm, The New York Times reports. He tells the newspaper he created his exploit “because I wanted to experiment with the flaw. … The purpose was simply to see if it was possible to create a worm.”

11:43 a.m. White House Press Secretary Robert Gibbs was victimized by the Twitter flaw and sent a message containing gibberish to 100,000 followers, the Los Angeles Times reports. Gibbs later tweets, “My Twitter went haywire – absolutely no clue why it sent that message or even what it is … paging the tech guys…”

3:31 p.m. Security website Dark Reading writes a coda for Twitter’s day. “Twitter late this morning quickly fixed the cross-site scripting flaw on its website that hackers used to wage an attack that blended both XSS and cross-site request forgery (CSRF), and the attack appeared to have little to no lasting damage,” writes Kelly Jackson Higgins. “But security experts say it serves as a wake-up call that XSS bug, which typically litters many websites and is often considered relatively benign by website operators and developers, is a real problem that should be taken more seriously.”