How Twitter Hatched a Virus That Reached the White House
It's safe to return to Twitter. The microblogging service has successfully blocked the virus that crippled Twitter.com earlier today. So how was Twitter brought to its knees? Through an amateur coding error reported to the company over a month ago.
The Twitter bug that allowed today's viruses was originally discovered by Japanese developer Masato Kinugawa on August 14, according to a translation of Kinugawa's Twitter stream and a story in the Guardian. A week ago, Kinugawa discovered the flaw was still around in the new version of Twitter.com the company has been rolling out to select users. Last night, Kinugawa set up a test Twitter account, @rainbowtwtr, to illustrate how he could use the vulnerability to change the color of tweets.
Kinugawa's techniques, now shown in the wild, were rapidly picked up by others. What he'd discovered was that Twitter failed to properly filter tweets for Javascript code. Or rather, it did filter out Javascript, unless your URL contained the "@" symbol, in which case you could trick Twitter into
accepting your Javascript in a tweet, and then embedding that Javascript when it displayed your tweet to other users.
This sort of attack, known as "cross-site scripting," or "XSS" for short, is a classic and well understood phenomenon that Web developers are routinely badgered to be on guard against. This is why Ars Technica is (correctly) calling today's worm a "blatant security flaw" — it's the sort of thing that should have been caught, even if Twitter was rushing to launch its new website redesign, which was shown at a much-hyped press event earlier this month.
The security hole seems all the more lamentable because Twitter knew about it more than a month ago, according to Kinugawa.
Anyway, after Kinugawa showed off his "Rainbow Twtr" example from his home base in Japan, there was no immediate reaction from Twitter Inc. because the company is based in California and everyone was, presumably, asleep. They would have still been asleep when a Scandanavian developer named Magnus Holm created a self-retweeting demonstration of the security hole, which spread rapidly; and would also have been asleep as Russian hackers and Japanese pornographers launched their own, even more nefarious versions of the bug.
It wasn't long before the virus had reached some big-name Twitter users as dawn broke in the U.S. and western Europe. White House press secretary Robert Gibbs wrote, "My Twitter went haywire - absolutely no clue why it sent that message or even what it is...paging the tech guys..." The wife of former British Prime Minister Gordon Brown was hit. NBC White House correspondent Chuck Todd was hit, as was the Today Show's Courtney Hazlett, and the New York Times' Kim Severson. Musician Travis Barker also tweeted that his account had been "hacked."
There were no doubt countless others; though Twitter says it has finally closed the security hole, a full tally of the number of accounts affected is not yet available. One lesson, though, is clear: It's absolutely safer to have people reading tweets through a diverse array of software products than through a single website. Given that Twitter is trying hard to draw people back in to Twitter.com, where it can show them large-format ads featuring images and video, it must regret serving them up such a harsh lesson in the danger of trusting a single company to be the hub for so much information.
[Photo of Gibbs via Getty Images]