Hackers create chaos on Twitter with 'worm' attacks

The information-rich world of Twitter was almost converted into total gobbledegook yesterday as hackers took advantage of a security flaw to create self-replicating "worms" that automatically posted themselves to users' accounts.

Any Twitter user who hovered their cursor over the unintelligible messages immediately risked spreading them to the accounts of their own followers. At its peak, over 100 such messages were being generated every second, causing consternation among the Twitter community, who rely on the service for everything from breaking news to inconsequential amusement.

The effects of the worm ranged from harmless messing about to malicious redirects to unsavoury websites; at one point Sarah Brown, wife of the former PM, unwittingly guided her 1.1 million devoted followers towards a Japanese pornography site. "Don't touch the earlier tweet," she posted later. "This twitter feed has something very odd going on!"

Odd indeed – but also something that was easily preventable, and which will have caused embarrassment to Twitter in the week following the much-publicised roll-out of its relaunched website.

The way Twitter works meant that the biggest damage was wrought by those with the largest number of followers. Sarah Brown was the most notable, but others included former deputy Prime Minister John Prescott, White House press secretary Robert Gibbs ("Absolutely no clue why it sent that message or even what it is") and comedian David Mitchell ("Apologies... more evil robots, basically. Get used to them, I say.")

Users who had already been granted access to the new-look version weren't affected, and nor were those who interact with the service using applications on their computers or mobile devices. The worm targeted those who still access their accounts by logging on to the main Twitter site – the vast majority – hence the worms' rapid spread.

This type of attack is known as XSS or "cross-site scripting", and is by far the most common way for web security to be compromised. If a hacker can find a way to execute a script on a website, that script can gain access to sensitive details that the browser might be holding on our behalf – including, as was the case here, the ability to automatically post messages on Twitter.

Awareness of the problem came to light early on Wednesday, when the person behind an account called @RainbowTwtr realised that the site's automatic conversion of website addresses within messages could be embellished with a potentially powerful code known as JavaScript.

Twitter patched this particular vulnerability within three hours, but XSS attacks will continue to affect users of popular websites; there will always be geeks keen to wreak havoc for financial gain.

Life and Style
ebookNow available in paperback
ebooks
ebookPart of The Independent’s new eBook series The Great Composers
Life and Style
Powdered colors are displayed for sale at a market ahead of the Holi festival in Bhopal, India
techHere's what you need to know about the riotous occasion
Arts and Entertainment
Larry David and Rosie Perez in ‘Fish in the Dark’
theatreReview: Had Fish in the Dark been penned by a civilian it would have barely got a reading, let alone £10m advance sales
News
Details of the self-cleaning coating were published last night in the journal Science
science
News
Approved Food sell products past their sell-by dates at discounted prices
i100
News
Life-changing: Simone de Beauvoir in 1947, two years before she wrote 'The Second Sex', credited as the starting point of second wave feminism
peopleHer seminal feminist polemic, The Second Sex, has been published in short-form to mark International Women's Day
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Ashdown Group: Senior VMware Platform Engineer - VMware / SAN / Tier3 DC

    £45000 - £55000 per annum + benefits: Ashdown Group: Senior VMware Platform En...

    Ashdown Group: Automated Tester / Test Analyst - .Net / SQL - Cheshire

    £32000 per annum + pension, healthcare & 23 days holiday: Ashdown Group: A gro...

    Ashdown Group: Application Developer - C#.Net, ASP.Net - Cambridgeshire

    Negotiable: Ashdown Group: Software Application Developer (C# & ASP.Net, SQL S...

    Ashdown Group: Front-End Developer / Front-End Designer - City of London

    £27000 - £33000 per annum + Excellent benefits: Ashdown Group: Front-End Devel...

    Day In a Page

    Homeless Veterans campaign: Donations hit record-breaking £1m target after £300,000 gift from Lloyds Bank

    Homeless Veterans campaign

    Donations hit record-breaking £1m target after huge gift from Lloyds Bank
    Flight MH370 a year on: Lost without a trace – but the search goes on

    Lost without a trace

    But, a year on, the search continues for Flight MH370
    Germany's spymasters left red-faced after thieves break into brand new secret service HQ and steal taps

    Germany's spy HQ springs a leak

    Thieves break into new €1.5bn complex... to steal taps
    International Women's Day 2015: Celebrating the whirlwind wit of Simone de Beauvoir

    Whirlwind wit of Simone de Beauvoir

    Simone de Beauvoir's seminal feminist polemic, 'The Second Sex', has been published in short-form for International Women's Day
    Mark Zuckerberg’s hiring policy might suit him – but it wouldn’t work for me

    Mark Zuckerberg’s hiring policy might suit him – but it wouldn’t work for me

    Why would I want to employ someone I’d be happy to have as my boss, asks Simon Kelner
    Confessions of a planespotter: With three Britons under arrest in the UAE, the perils have never been more apparent

    Confessions of a planespotter

    With three Britons under arrest in the UAE, the perils have never been more apparent. Sam Masters explains the appeal
    Russia's gulag museum 'makes no mention' of Stalin's atrocities

    Russia's gulag museum

    Ministry of Culture-run site 'makes no mention' of Stalin's atrocities
    The big fresh food con: Alarming truth behind the chocolate muffin that won't decay

    The big fresh food con

    Joanna Blythman reveals the alarming truth behind the chocolate muffin that won't decay
    Virginia Ironside was my landlady: What is it like to live with an agony aunt on call 24/7?

    Virginia Ironside was my landlady

    Tim Willis reveals what it's like to live with an agony aunt on call 24/7
    Paris Fashion Week 2015: The wit and wisdom of Manish Arora's exercise in high camp

    Paris Fashion Week 2015

    The wit and wisdom of Manish Arora's exercise in high camp
    8 best workout DVDs

    8 best workout DVDs

    If your 'New Year new you' regime hasn’t lasted beyond February, why not try working out from home?
    Paul Scholes column: I don't believe Jonny Evans was spitting at Papiss Cissé. It was a reflex. But what the Newcastle striker did next was horrible

    Paul Scholes column

    I don't believe Evans was spitting at Cissé. It was a reflex. But what the Newcastle striker did next was horrible
    Miguel Layun interview: From the Azteca to Vicarage Road with a million followers

    From the Azteca to Vicarage Road with a million followers

    Miguel Layun is a star in Mexico where he was criticised for leaving to join Watford. But he says he sees the bigger picture
    Frank Warren column: Amir Khan ready to meet winner of Floyd Mayweather v Manny Pacquiao

    Khan ready to meet winner of Mayweather v Pacquiao

    The Bolton fighter is unlikely to take on Kell Brook with two superstar opponents on the horizon, says Frank Warren
    War with Isis: Iraq's government fights to win back Tikrit from militants - but then what?

    Baghdad fights to win back Tikrit from Isis – but then what?

    Patrick Cockburn reports from Kirkuk on a conflict which sectarianism has made intractable