Twitter apologizes after users hit by 'mouseover' attack

Twitter apologized to its millions of users on Tuesday after hackers exploited a security hole and wreaked havoc on the microblogging service.

Bob Lord, a member of Twitter's security team, said no account information was compromised in the attack, dubbed the "mouseover bug" because it was spread by users scrolling over infected links with a computer mouse.

The bug opened pop-up windows in Web browsers, linked some users to porn websites, or automatically generated the short messages known as "tweets" from a user's account.

San Francisco-based Twitter said the attack began around 2:30 am California time (0930 GMT) and was brought under control four-and-a-half hours later.

But not before thousands of users saw bizarre strings of computer code in their incoming message feed and inadvertently passed them on to other users in their list of followers.

The infected links looked like regular messages but contained lines of random computer code or were completely blacked out like a message that has been redacted.

Those hit by the bug included Sarah Brown, the wife of the former British prime minister who has over 1.1 million followers on Twitter, and White House press secretary Robert Gibbs, who has 97,000 followers.

"My Twitter went haywire," Gibbs wrote on @presssec. "Paging the tech guys."

"Don't know what everyone else got, but my bug sent me an advert for a weight loss program - as if that would work!" Brown joked at @sarahbrownuk.

Twitter's Lord explained the attack in a blog post, saying it was caused by cross-site scripting (XSS), which involves placing code from an untrusted website into another one.

"In this case, users submitted javascript code as plain text into a tweet that could be executed in the browser of another user," he said.

Lord said Twitter had patched up a similar issue last month but it resurfaced as the result of a recent site update.

He said the initial attack involved pop-up boxes which appeared when a Twitter user hovered over an infected link with their mouse.

"Other users took this one step further and added code that caused people to retweet the original tweet without their knowledge," he said.

Lord stressed there was no need for Twitter users to change passwords "because user account information was not compromised through this exploit."

"We apologize to those who may have encountered it," he said.

Graham Cluley of computer security firm Sophos said that in Sarah Brown's case her Twitter page tried to redirect visitors to a porn site in Japan.

Cluley said the hackers behind the attacks exploited the security hole "for fun and games."

"But there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed," he said.

Gibbs, the White House spokesman, told reporters the incident had not made him reconsider using Twitter.

"From time to time, I have no doubt that there will be those that want to gum up the system and things like that," he said. "I don't hesitate to continue to use it."

Without technology "we'd all be writing on - yes, parchment, or we'd be sending letters in the mail as press releases, which we used to do not too long ago," he said. "So, it's the vagaries of doing business."

Twitter, which allows users to pepper one another with messages of 140 characters or less, has over 145 million registered users firing off more than 90 million tweets a day, co-founder Evan Williams said recently.

Twitter unveiled a major redesign of its website a week ago that is being slowly rolled out to users of the service across the globe. The company said the attack was not connected to Twitter's revamp.

PROMOTED VIDEO
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
Life and Style
ebooksFrom the lifespan of a slug to the distance to the Sun: answers to 500 questions from readers
Life and Style
food + drink
Arts and Entertainment
musicBand's first new record for 20 years has some tough acts to follow
News
Shoppers in Covent Garden, London, celebrate after they were the first to buy the iPhone 6, released yesterday
tech
News
Liam Payne has attacked the media for reporting his tweet of support to Willie Robertson and the subsequent backlash from fans
peopleBut One Direction star insists he is not homophobic
Life and Style
healthFor Pure-O OCD sufferers this is a reality they live in
Arts and Entertainment
A bit rich: Maggie Smith in Downton Abbey
tvSeries 5 opening episode attracts lowest ratings since drama began
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Website Editor

    £15 - £17 Per Hour: Clearwater People Solutions Ltd: Our client is currently r...

    Web Application Support Manager

    £60000 Per Annum: Clearwater People Solutions Ltd: Our client based in Reigate...

    C# asp.net Developer - West Sussex - permanent - £40k - £50k

    £40000 - £50000 Per Annum + excellent benefits package: Clearwater People Solu...

    SQL Report Analyst (SSRS, CA, SQL 2012)

    £30000 - £38500 Per Annum + 25 days holiday, pension, subsidised restaurant: C...

    Day In a Page

    A roller-coaster tale from the 'voice of a generation'

    Not That Kind of Girl:

    A roller-coaster tale from 'voice of a generation' Lena Dunham
    London is not bedlam or a cradle of vice. In fact it, as much as anywhere, deserves independence

    London is not bedlam or a cradle of vice

    In fact it, as much as anywhere, deserves independence
    Vivienne Westwood 'didn’t want' relationship with Malcolm McLaren

    Vivienne Westwood 'didn’t want' relationship with McLaren

    Designer 'felt pressured' into going out with Sex Pistols manager
    Jourdan Dunn: Model mother

    Model mother

    Jordan Dunn became one of the best-paid models in the world
    Apple still coolest brand – despite U2 PR disaster

    Apple still the coolest brand

    Despite PR disaster of free U2 album
    Scottish referendum: The Yes vote was the love that dared speak its name, but it was not to be

    Despite the result, this is the end of the status quo

    Boyd Tonkin on the fall-out from the Scottish referendum
    Manolo Blahnik: The high priest of heels talks flats, Englishness, and why he loves Mary Beard

    Manolo Blahnik: Flats, Englishness, and Mary Beard

    The shoe designer who has been dubbed 'the patron saint of the stiletto'
    The Beatles biographer reveals exclusive original manuscripts of some of the best pop songs ever written

    Scrambled eggs and LSD

    Behind The Beatles' lyrics - thanks to Hunter Davis's original manuscript copies
    'Normcore' fashion: Blending in is the new standing out in latest catwalk non-trend

    'Normcore': Blending in is the new standing out

    Just when fashion was in grave danger of running out of trends, it only went and invented the non-trend. Rebecca Gonsalves investigates
    Dance’s new leading ladies fight back: How female vocalists are now writing their own hits

    New leading ladies of dance fight back

    How female vocalists are now writing their own hits
    Mystery of the Ground Zero wedding photo

    A shot in the dark

    Mystery of the wedding photo from Ground Zero
    His life, the universe and everything

    His life, the universe and everything

    New biography sheds light on comic genius of Douglas Adams
    Save us from small screen superheroes

    Save us from small screen superheroes

    Shows like Agents of S.H.I.E.L.D are little more than marketing tools
    Reach for the skies

    Reach for the skies

    From pools to football pitches, rooftop living is looking up
    These are the 12 best hotel spas in the UK

    12 best hotel spas in the UK

    Some hotels go all out on facilities; others stand out for the sheer quality of treatments