Twitter has turned into wormville this morning. The fast-spreading exploits proved two things: Twitter is undoubtedly now a mainstream service, and it's joined the ranks of big-time tech companies as a target for hackers.
For instance, Norwegian programmer Magnus Holm created a worm that exploited the latest cross-site scripting hole in Twitter and watched with amazement as it spread. Initially, he was disappointed with the impact of his worm. He tweeted, "Meh, this worm doesn't really scale. The users can just delete the tweet." An hour later, things had changed. He posted, "Holy s**t. I think this is exponential: 3381 more results since you started searching" followed by "This is scary."
"This keeps happening to Twitter because that's where the (prankster) mentality exists," said Sean Sullivan, security advisor for F-Secure's North American labs. "Twitter is a perfect outlet for that type of guy trying to show his chops."
The latest attacks seem to have started rather quietly, in the complex underworld of hacker forums and back-and-forth coder chatter. The earliest evidence that someone had come across the possibility of a mouseover exploit comes from a Japanese hacker, Masato Kinugawa, who tweeted this morning that he had discovered the problem on August 14 and alerted Twitter to it. Also last month, two Twitter employees referred to the mouseover code in a discussion on coding community site GitHub.
Kinugawa, under the impression that nothing had been done at Twitter to solve the problem he'd flagged, noticed that it was still an issue in the newly redesigned Twitter interface. Early this morning--the afternoon in Japan--he created a test account called "Rainbow Twtr" in which the same code flaw was used to create blocks of color in lieu of text tweets. That's when others began to notice, including Holm and @matsta, who also created a worm and has since had his account on Twitter suspended.
A blog post from Twitter security chief Bob Lord late this morning acknowledged the attacks and attempted to calm down hysterical users who weren't sure why their accounts were bizarrely tweeting long strings of HTML and JavaScript.