Twitter says it has patched a cross-site scripting issue that was exploited by attackers the morning of Sept. 21.
According to Sophos, the issue impacted thousands of users, among them Sarah Brown, the wife of former British Prime Minister Gordon Brown.
“It appears that in Sarah Brown’s case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan,” blogged Graham Cluley, senior technology consultant at Sophos. “That’s obviously bad news for her followers – over one million of them.”
“Some users [were] also seemingly deliberately exploiting the loophole to create tweets that contain blocks of colour (known as “rainbow tweets”),” he added. “Because these messages can hide their true content they might prove too hard for some users to resist clicking on them.”
Twitter user Magnus Holm tweeted that he created a worm to target the issue, but did not find the cross-site scripting vulnerability itself. In an interview with BBC, he reportedly said that he wanted to exploit the hole without doing any real harm, but the flaw had been identified by others who used it for other purposes.
“There were several other tiny hacks using the exploit – I only created the worm,” he was quoted as saying.
In a blog post on the incident, Twitter Security Chief Bob Lord said the security vulnerability at issue was actually patched last month, but the issue was reopened by a recent site update unrelated to the Twitter revamp announced last week.
“First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet,” Lord explained. “This is why folks are referring to this an “onMouseOver” flaw — the exploit occurred when someone moused over a link.”
“Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge,” he added.
Lord noted that the exploit affected Twitter.com and not its mobile site or mobile applications.
“The vast majority of exploits related to this incident fell under the prank or promotional categories,” he wrote. “Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.”
*This story was updated to add new comment from Twitter.