The names and faces behind the ‘onMouseOver’ Twitter worm attack

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

The names and faces behind the 'onMouseOver' Twitter worm attack

It’s been over 24 hours now since many Twitter users around the world found that their pages had become infested by messages spreading virally across the network.

The victims

High profile victims of the “onMouseOver” worm included ex-Prime Minister’s wife Sarah Brown, British businessman and host of BBC TV’s “The Apprentice” Lord Alan Sugar, and even Robert Gibbs, the press secretary to US President Barack Obama.

Twitter post from Robert Gibbs

Hundreds of thousands of Twitter users appear to have been hit by the attack – but should we blame them for what happened? I don’t think so. What did they do to deserve it? Not much, I’d argue. Most of them innocently rolled their mouse over a tweet or may have visited a popular Twitter users’ profile infected with a screen practically filled with huge text and near impossible to avoid with a mouse.

Sarah Brown's Twitter page

Those who tinkered with the vulnerability
Pearce Delphin
An Australian teenager called Pearce Delphin, who goes by the online handle of @zzap, claims that he discovered the vulnerability, using it to force a pop-up to appear when users rolled their mouse over a tweet, but didn’t create a worm.

Media reports quoted the 17-year-old from Melbourne as saying:

“I discovered a vulnerability, I didn’t create a self-replicating worm. As far as I know, that isn’t technically illegal… Hopefully I won’t get in trouble!”

Tweets posted from zzap's account

But to my mind, Delphin is being slightly misleading. Both he, and Norwegian programmer Magnus Holm (more about him later..), have admitted that they were inspired by activity on another Twitter account, RainbowTwtr, which were using some sneaky techniques (that really shouldn’t have been allowed) to turn messages into blocks of colour.

Colourful tweets from RainbowTwtr

The RainbowTwtr account, which has now been suspended, appears to have been created by a Japanese developer called Masato Kinugawa. He claims to have informed Twitter about the vulnerability on August 14. Twitter patched it but then – calamitously – allowed it to re-emerge.

It was at this point that Masato Kinugawa created the rainbow tweets to demonstrate, in a fairly harmless way, what could be done with the flaw.

Delphin and other Twitter users recognised that they could do more than just create fancy coloured blocks with the technique, and the pieces were in place for others to create a worm.

The people who wrote the worms

Norwegian Magnus Holm (known as @judofyr on Twitter) told the New York Times that when he heard about the exploit he wrote a simple worm which could spread to another Twitter users’ page if they rolled their mouse over an infected message, containing a solid block of black to hide the viral code.

Tweet from judofyr's account

Importantly, Holm’s worm doesn’t appear to be the one that infected the likes of Sarah Brown’s Twitter page.

Although Holm claimed to the BBC that he didn’t want to do “any ‘real’ harm”, I find it hard to accept that it was responsible of him to post viral code.

There have been plenty of viruses in the past which have been designed to be mischievous rather than malicious, but they can still inconvenience individuals and businesses, cause disruption and cost money to fix.

Holm says that he saw his worm pass at least 200,000 messages.

Yuck – that sounds pretty out of control to me, but worse was to come.

Sign up to our free newsletter.
Security news, advice, and tips.

It appears that the main worm, the one which caused the most trouble, was conceived by another Twitter user, not Magnus Holm, using the Twitter userid @matsta. His or her worm spread ferociously from account to account, in an attempt to redirect visitors to websites carrying online surveys. We also saw versions which appeared to drive traffic to a hardcore porn site based in Japan.

Clearly this person – not Australian teenager Pearce Delphin or the Norwegian Ruby programmer Magnus Holm – is the one who many of us would be most interested in identifying.

Japanese porn website

Twitter

And what of Twitter themselves?

Well, we’ve been somewhere similar before with them, of course.

In April 2009, a New York teenager called Mikeyy Mooney (yes, he really does spell it like that) released a series of worms in quick succession which exploited security vulnerabilities on Twitter in a similar way to the attack we saw yesterday, and generally laughing at the website’s expense.

Simply viewing an infected Twitter profile would infect your own Twitter account, passing his message on.

And every time Twitter said they had stamped out the worm and cured the vulnerability, the teenager would release another version spreading just as fast. He even released a version of his worm that displayed his phone number and invited Twitter to hire him!

At the time I commented that to be hit by one cross-site scripting worm may be regarded as a misfortune, to be struck three or four times in a row looks like carelessness.

Twitter with egg
By Twitter’s own admission, the latest vulnerability was patched last month, but then “it resurfaced due to a site update”.

How can a serious security vulnerability be found and fixed one month, and then forgotten about the next? This isn’t a tinpot website we’re taking about here – this is a major website name relied upon by millions every day.

There is no legitimate reason why live JavaScript should ever be allowed inside a Tweet, and sensible security would have dictated that any offending code should be sanitised or neutered before being published as tweets on the site. It would be perfectly possible to do a generic fix for the problem, which wouldn’t be specific to the latest attacks but would actually shut the door permanently on similar assaults in future.

Of course, we have to be grateful that Twitter did fix the problem fairly promptly once they became aware of it, and that the exploit wasn’t abused for more sinister purposes (such as installing malware, or opening backdoors for hackers to gain access to affected computers).

Things could have been much worse. And we must hope that lessons have been learnt so similar problems do not occur again.

Security has to be at the heart of social networks like Facebook and Twitter, or they risk disenfranchising their users or (worse) putting them at risk for identity thieves and virus writers.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.