Twitter slammed for failing to prevent XSS worm

Micro-blogging site Twitter has come under fire from security experts after it was revealed that the security exploit that allowed a number of worms to cause havoc on the site on Tuesday had already been fixed, but was accidentally re-introduced.

The JavaScript 'onMouseOver' bug had been addressed by the site's Trust and Safety team in August, but reappeared during a recent site update.

Security expert Graham Cluley of Sophos was one of the first to alert users to the worm. He explains how it works in this video:

The basic programming error allowed JavaScript code to be inserted into the text of tweets, a technique that hackers could exploit to redirect users to other web sites when victims rolled their mouse pointer over an infected link. The worms replicated themselves by sending out a stream of infected tweets, spreading rapidly across the social media site.

Hundreds of thousands of users are believed to have been affected. One worm sent out a message to all the victim's followers with the text blacked out. Another, which affected the former UK PM's wife, Sarah Brown, sent users to a Japanese porn site.

By mid-afternoon, Twitter's Del Harvey, director of the Trust and Safety team, was reassuring users that the exploit had been patched. What was still to emerge, though, was that the patch had already been applied once - and that the outbreak shouldn't have happened at all

"We discovered and patched this issue last month," Twitter admitted later in a blog post. "However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it."

The bug had been outed on 23rd August, and was immediately patched in Twitter's open-source text processing library.

According to a report in the UK's Guardian newspaper, Japanese hacker Masato Kinugawa had tried to contact Twitter as early as 14th September - before the site rolled out its 'New Twitter' update - to inform them of the bug. After realising that it was still unpatched after the site revamp, he decided to test it using some worm code on Tuesday.

Kinugawa created the worm that sent blacked-out messages.

It isn't the first time the micro-blogging site has been hit by an outbreak such as this. Last year, 17-year-old hacker Michael Mooney let loose a series of worms.

In a blog post, security firm F-Secure predicted that Tuesday's events won't be the last we see of so-called 'cross-site scripting' (XSS) attacks on Twitter, and demonstrates just a few of the possible effects that can be achieved using the technique.

Twitter, for its part, has been quick to deny that the outbreak revealed shortcomings in the site's security.

"We're not only focused on quickly resolving exploits when they surface but also on identifying possible vulnerabilities beforehand," the company insisted on its blog.

"The vast majority of exploits related to this incident fell under the prank or promotional categories," Twitter explained.

"Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts.

"And, there is no need to change passwords because user account information was not compromised through this exploit."