Twitter was hit by what’s called an “onMouseOver” attack this week that affected thousands of users.
The attack exploited a security flaw in Twitter, Bob Lord, a member of the site’s security team, wrote on the company’s blog. Users dubbed the hole the “onMouseOver” flaw because the first attack turned tweets different colors and brought up a popup box when a user’s mouse hovered over a link in the Tweet, Lord wrote. Other hackers added code that caused victims to unknowingly retweet the original message, according to Lord.
One follow-up attack redirected victims to a Japanese porn site.
Several people have been blamed for launching the attack, and it’s not yet clear who really kicked things off.
More importantly, the attack appeared to be a prank and not an attempt to make money. That still leaves open the question of whether hackers can indeed monetize Twitter hacks like this.
Squeaking About the onMouseOver Hack
Twitter crushed the onMouseOver attack in less than five hours, and it had completely cleaned house in another approximately two hours.
“This morning at 2:54 a.m. PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on it,” Twitter’s Lord wrote. “By 7 a.m. PDT, the primary issue was solved. And, by 9:15 a.m. PDT, a more minor but related issue tied to hovercards was also fixed.”
The security exploit that led to the hack was caused by cross-site scripting (XSS), Lord wrote.
Making Money With onMouseOver
Hacks that send unwitting users to porn sites are certainly unwelcome, but such activities appear to be mischievous pranks rather than the kind of moneymaking schemes used by many modern hackers. Could malware authors exploit Twitter attacks like this one for financial gain?
“The vast majority of exploits related to this incident fell under the prank or promotional categories,” Lord wrote. “However, we are not aware of any issues related to it that would cause harm to computers or their accounts,” he added.
Hackers may prefer not to leverage attacks on Twitter because of their rapid spread. The faster a threat spreads and the bigger it is, the more quickly it will get the attention of malware researchers and of the company whose site is being attacked. Generally, hackers prefer short-term, limited attacks so they can stay under the radar.
That doesn’t mean hackers won’t turn their attention to making money by attacking Twitter.
“I think many cybercriminals will turn their attention to finding the next Twitter bug,” Paul Wood, a senior analyst with MessageLabs Intelligence at Symantec Hosted Services, told the E-Commerce Times. “Twitter has become a killer app for the Internet; don’t let it be the silent killer for your business.”
Many Rats Make onMouseOver Work
It’s not yet clear who really is behind the onMouseOver attack.
“I’m really not sure who was first,” Randy Abrams, director of technical education at ESET, told the E-Commerce Times. “It appears that multiple parties took advantage of the vulnerability in the time it was exploitable.”
However, The Guardian has claimed Japanese developer Masato Kinugawa was behind the hack.
Kinugawa’s work was reportedly picked up by several others, including app devs for a Russian site and for a Japanese porn site.
The vulnerability that led to the Twitter onMouseOver hack had already been discovered and patched last month, Twitter’s Lord wrote. However, a recent site update caused it to resurface, he said.
Coping With XSS
Is there any way to prevent the recurrence of XSS and other attacks after a site has been updated or patches have been implanted?
“Do penetration testing — lots of it,” ESET’s Abrams said. “The people who work on the upgrades need to have a good understanding of what has already been learned, and be constantly vigilant about how new features may be abused,” he added.
“Many websites are often found to have cross-site scripting problems,” Wood said.
IT and business managers must not override security issues for business concerns, Wood warned.
“The rush to release new functionality is often undertaken at the sacrifice of security or privacy controls,” he explained.
Twitter did not respond to requests for comment by press time.