Twitter 'OnMouseOver' Attack May Have Started In Japan
Tuesday morning Twitter.com users were pummeled with a massive attack that subjected them to serial pop-ups, pornography and multi-colored tweets simply by scrolling the mouse over JavaScript code in the links, even if they didn’t click. Other versions of the attack retweeted users' tweets to everyone all of their followers.
The "onMouseOver" attack lasted about five hours but was effectively shut down later Tuesday morning. Twitter confirmed in a blog post that a user saw the security hole and "took advantage of it."
One of the people thought to be at the helm of the widespread attack, known by the cyber name "Masato Kinugawa," said that he created the Twitter account "Rainbow Twtr" in an effort to shed light on an existing vulnerability.
In his posts, Kinugawa said that he contacted Twitter about the security flaw Aug. 14, but that Twitter remained unresponsive and failed to plug the hole. Kinugawa said that he decided to launch a prank exposing the flaw before malicious hackers got a hold of it an used it to spread malware and steal users' credentials.
"Twitter had not fixed this critical issue long after it had been notified," Kinugawa tweeted. "Twitter left this vulnerability exposed, and its recognition of this problem was low. Rather than have someone maliciously abuse this under the radar, I decided it would be better to urgently expose this as a serious problem and have it be addressed."
The vulnerability in question was an 'onMouseOver" JavaScript flaw that Twitter claimed it had already identified and patched in August. However, an August site update caused the glitch to resurface and opened the door for hackers to exploit the vulnerability with cross-site scripting attacks, which can occur by injecting malicious code into a legitimate Web site.
"We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it," said Twitter in a blog post Tuesday.
The multi-faceted attack appears to have been an international team effort. Other hackers responsible for the XSS attack reportedly include Norwegian programmer Magnus Holm, who took Kinugawa's code one step further by having the tweets "retweet" themselves, and included a link embedded with the "onMouseOver" script, according to The New York Times.
Meanwhile, Australian teenager Pearce Delphin further propelled the attack by embedding JavaScript into the tweets to make the "pop-up" windows appear simply by running the curser over them.
Micro-blogging site Twitter assured users in a blog post Tuesday that the "vast majority" of the attacks were pranks or promotions.
"We are not aware of any issues related to it that would cause harm to computers or their accounts," Twitter said.