A 17-year-old boy from Australia claims he inadvertently triggered a chain of events that led to thousands of people being affected by a Twitter security flaw yesterday. But it all may have been started by a Japanese developer a couple of hours earlier.
Pearce Delphin, or @zzap on Twitter, says he exposed the security flaw by tweeting a piece of code with an onMouseOver JavaScript function, which caused a pop-up to appear when a user merely moves his mouse cursor over the message.
Very soon, the code was modified to do other sorts of things – perform auto retweets, open pornographic websites and generally create havoc on Twitter, which lasted a couple of hours until Twitter admins patched the vulnerability.
“I did it merely to see if it could be done … that JavaScript really could be executed within a tweet. At the time of posting the tweet, I had no idea it was going to take off how it did. I just hadn’t even considered it,” Delphin told AFP via email.
“I discovered a vulnerability, I didn’t create a self-replicating worm. As far as I know, that isn’t technically illegal,” Delphin said. He hopes he won’t get into trouble, but he very well could – the proper course of action in situations like these is reporting such a vulnerability to Twitter. Exposing a security flaw like he did, even inadvertently, is at the very least an error in judgment.
However, in this case, the flaw was so elementary and spread so fast that it’s hard to point at Delphin and consider him solely responsible for the damage it caused (which, according to Twitter, was not very big, despite the fact that the flaw was potentially extremely dangerous). Delphin (together with several others, for example Scandinavian developer Magnus Holm) claims he merely modified the idea from another user who had used the code to make his tweets colored, meaning he was not the first to expose the flaw.
The “other user” was probably a Japanese developer called Masato Kinugawa said he reported the XSS vulnerability to Twitter on August 14, which was subsequently patched, but he later discovered that the vulnerability was exploitable again. He then created a Twitter account called RainbowTwtr, which he used to prove that the flaw could be used to create colored tweets.
This is in line with Twitter’s account of the incident. From Twitter’s official blog: “We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.”
One thing about the entire incident causes concern: the vulnerability was too easy to exploit, and it spread amazingly fast. Twitter should take a good look at its security before an attack similar to this one causes a lot more damage.
0 comments:
Post a Comment