Are Your Tweets Safe? Lessons from the Twitter Worm

Twenty-five minutes was all it took for Twitter to fix the scripting flaw that enabled hackers to insert malicious codes into hundreds of Twitter feeds early yesterday morning. That quick response was accompanied by the more disturbing news that the company was warned of the potential danger as early as August 14. Should tweeters be alarmed that it could happen again? Are your tweets safe?

The “Twitter worm” was caused by cross-site scripting (XSS) which allows code to be moved from an untrusted website into another. According to the company, “in this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another.”

Credit for the attack was quickly claimed, first by a Japanese developer called Masato Kinugawa who said he alerted the company to an “XSS vulnerability” on August 14th only to discover the same risk in the new interface launched by Twitter this month.

He set up a “Rainbow Twtr” account to show how the weakness could be exploited and, as social networkers will do, others quickly caught on and followed his lead. Before Twitter headquarters had even woken up, thousands of their customers were being redirected to third-party sites and unknowingly sending pop-up websites and messages just by moving, not even clicking, their cursor over a tainted link.

Luckily for both Twitter and its users, the bug was more mischief than danger: it did not pose a threat to computers or users’ accounts and only affected those using the web site, not third-party software or apps like Tweetdeck.

Twitter fixed the problem by sanitizing the input of the java code, a quick and easy fix that simultaneously exposed the bigger damage for the company: that they were caught off guard by a relatively simple attack and already facing warnings it could happen again.

And for Tweeters looking to avoid a headache, the biggest lesson is to use a third-party, non-HTML based Twitter client like Tweetdeck, Seesmic, or Dabr, or use the Twitter mobile site.

The episode also showed once again that no one is invincible online or immune from scams. Tuesday’s Twitter worm slid all the way into the White House, infecting the Twitter feed of Press Secretary Robert Gibbs, and across the Atlantic to 10 Downing Street in England where it hit Sarah Brown, wife of the former prime minister Gordon Brown.