Hackers Hit Twitter More for Devilry Than Profit

Twitter was hit by what’s called an “onMouseOver” attack this week that affected thousands of users.

The attack exploited a security flaw in Twitter, Bob Lord, a member of the site’s security team, wrote on the company’s blog. Users dubbed the hole the “onMouseOver” flaw because the first attack turned tweets different colors and brought up a popup box when a user’s mouse hovered over a link in the Tweet, Lord wrote. Other hackers added code that caused victims to unknowingly retweet the original message, according to Lord.

One follow-up attack redirected victims to a Japanese porn site.

Several people have been blamed for launching the attack, and it’s not yet clear who really kicked things off.

More importantly, the attack appeared to be a prank and not an attempt to make money. That still leaves open the question of whether hackers can indeed monetize Twitter hacks like this.

Squeaking About the onMouseOver Hack

Twitter crushed the onMouseOver attack in less than five hours, and it had completely cleaned house in another approximately two hours.

“This morning at 2:54 a.m. PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on it,” Twitter’s Lord wrote. “By 7 a.m. PDT, the primary issue was solved. And, by 9:15 a.m. PDT, a more minor but related issue tied to hovercards was also fixed.”

The security exploit that led to the hack was caused by cross-site scripting (XSS), Lord wrote.

XSS attacks place code from one website into another, a practice that has led to the development of Web 2.0 with its emphasis on user-generated content. In Twitter’s case, users submitted JavaScript code as plain text into a tweet, and this code could be executed in another user’s browser, Lord pointed out.

JavaScript is one of the scripting languages used for client-side website development, and it is one of the key technologies that make Web 2.0 technologies such as wikis possible. However, it facilitates XSS attacks because it lets scripts access objects within other applications.

Making Money With onMouseOver

Hacks that send unwitting users to porn sites are certainly unwelcome, but such activities appear to be mischievous pranks rather than the kind of moneymaking schemes used by many modern hackers. Could malware authors exploit Twitter attacks like this one for financial gain?

“The vast majority of exploits related to this incident fell under the prank or promotional categories,” Lord wrote. “However, we are not aware of any issues related to it that would cause harm to computers or their accounts,” he added.

Hackers may prefer not to leverage attacks on Twitter because of their rapid spread. The faster a threat spreads and the bigger it is, the more quickly it will get the attention of malware researchers and of the company whose site is being attacked. Generally, hackers prefer short-term, limited attacks so they can stay under the radar.

That doesn’t mean hackers won’t turn their attention to making money by attacking Twitter.

“I think many cybercriminals will turn their attention to finding the next Twitter bug,” Paul Wood, a senior analyst with MessageLabs Intelligence at Symantec Hosted Services, told the E-Commerce Times. “Twitter has become a killer app for the Internet; don’t let it be the silent killer for your business.”

Many Rats Make onMouseOver Work

It’s not yet clear who really is behind the onMouseOver attack.

“I’m really not sure who was first,” Randy Abrams, director of technical education at ESET, told the E-Commerce Times. “It appears that multiple parties took advantage of the vulnerability in the time it was exploitable.”

An Australian teenager named Pearce Delphin is the culprit, according to several published reports. Delphin, whose Twitter handle is “@zzap,” reportedly said he tweeted a piece of “mouseover” JavaScript code, which launches a pop-up window when a user’s cursor hovers over it, to see if JavaScript could be executed within a tweet.

However, The Guardian has claimed Japanese developer Masato Kinugawa was behind the hack.

Kinugawa’s work was reportedly picked up by several others, including app devs for a Russian site and for a Japanese porn site.

The vulnerability that led to the Twitter onMouseOver hack had already been discovered and patched last month, Twitter’s Lord wrote. However, a recent site update caused it to resurface, he said.

Coping With XSS

Is there any way to prevent the recurrence of XSS and other attacks after a site has been updated or patches have been implanted?

“Do penetration testing — lots of it,” ESET’s Abrams said. “The people who work on the upgrades need to have a good understanding of what has already been learned, and be constantly vigilant about how new features may be abused,” he added.

“Many websites are often found to have cross-site scripting problems,” Wood said.

IT and business managers must not override security issues for business concerns, Wood warned.

“The rush to release new functionality is often undertaken at the sacrifice of security or privacy controls,” he explained.

Twitter did not respond to requests for comment by press time.