Twit­ter says it fixed flaw ex­posed by hack­ers

Users were di­rected to adult web­sites and got gar­bled mes­sages for hours af­ter the at­tack.

Los Angeles Times - - Business - Jes­sica Guynn re­port­ing from san fran­cisco

Hack­ers ex­ploited a se­cu­rity flaw on Twit­ter Inc.’s web­site Tues­day and for sev­eral hours caused havoc for users who were redi­rected to porn web­sites and re­ceived gar­bled mes­sages.

Not even White House Press Sec­re­tary Robert Gibbs was im­mune, post­ing: “My Twit­ter went hay­wire — ab­so­lutely no clue why it sent that mes­sage or even what it is … pag­ing the tech guys …”

For­mer Bri­tish Prime Min­is­ter Gor­don Brown’s wife, Sarah — and her more than 1mil­lion Twit­ter fol­low­ers — en­coun­tered the bug when her Twit­ter page con­nected vis­i­tors to a hard­core pornog­ra­phy site in Ja­pan. Hack­ers used a pro­gram­ming com­mand known as onmouseover, which makes mes­sages pop up and web­sites open au­to­mat­i­cally when a mouse cur­sor hov­ers over a post — even if the user does not click on it. The com­mand also spammed fol­low­ers with in­com­pre­hen­si­ble mes­sages.

Twit­ter said in a blog post that it patched the flaw within four hours and that no user in­for­ma­tion or com­put­ers were com­pro­mised. But it was the lat­est in­ci­dent to raise con­cerns about se­cu­rity at the pop­u­lar mes­sag­ing ser­vice.

The at­tack did not ap­pear to be ma­li­cious but eas­ily could have been, an­a­lysts said. The pop-ups could have con­tained ma­li­cious code to prey on un­pro­tected or poorly pro­tected com­put­ers.

A Ja­panese de­vel­oper may have dis­cov­ered the vul­ner­a­bil­ity, ac­cord­ing to Twit­ter posts, and the first

hacker to ex­ploit it on Twit­ter.com ap­pears to have been Mag­nus Holm, a Nor­we­gian pro­gram­mer who uses the Twit­ter han­dle@jud­o­fyr. He de­scribed the code he wrote as harm­less.

A spokes­woman for Twit­ter, which has 160 mil­lion users, said it did not know how many were af­fected.

An­a­lysts said such in­ci­dents were un­likely to damp Twit­ter’s pop­u­lar­ity with con­sumers or with the ad­ver­tis­ers try­ing to reach them.

“Be­cause Twit­ter has be­come such a util­ity for most of its users, Twit­ter mem­bers just grit their teeth and wait for the prob­lem to be solved,” said Lou Kerner, a so­cial me­dia and In­ter­net an­a­lyst with Wed­bush Se­cu­ri­ties Inc. “If the mem­bers aren’t turned off by the tech­ni­cal is­sues, it’s un­likely that the ad­ver­tis­ers will be.”

For years Twit­ter had trou­ble man­ag­ing its ex­plo­sive growth, leav­ing it more vul­ner­a­ble to at­tack, an­a­lysts say.

Twit­ter had sev­eral ma­jor se­cu­rity breaches in 2009. Among them, in Jan­uary 2009, a hacker got ac­cess to the Twit­ter ac­count of Pres­i­dent-elect Obama, dis­patch­ing to his fol­low­ers a bo­gus of­fer for free gaso­line. In April 2009, a hacker broke into a Twit­ter em­ployee’s per­sonal e-mail ac­count and ac­cessed pro­file data and up­dates of Twit­ter users.

The attacks prompted a Fed­eral Trade Com­mis­sion in­ves­ti­ga­tion into the se­cu­rity and pri­vacy pro­tec­tion Twit­ter of­fers its users. Twit­ter set­tled the in­ves­ti­ga­tion in June and agreed to set up a se­cu­rity pro­gram that would be au­dited by an out­side com­pany.

Uniden­ti­fied hack­ers of­ten bom­bard so­cial net­work­ing sites, in­clud­ing Face­book and Twit­ter. But users worry less about their safety on Twit­ter than on other ser­vices where they store more per­sonal in­for­ma­tion, For­rester Re­search an­a­lyst Augie Ray said.

Be­cause Twit­ter patched the prob­lem quickly, “your av­er­age Twit­ter user prob­a­bly doesn’t even know what hap­pened,” Ray said.

The at­tack ap­peared to af­fect Twit­ter’s old de­sign, not the redesign it rolled out at a news con­fer­ence at its San Fran­cisco head­quar­ters last week.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.