Twitter says it repaired security flaw

By Jessica Guynn, Los Angeles Times

Sept. 22, 2010 12 AM PT

Reporting from San Francisco —

Hackers exploited a security flaw on Twitter Inc.’s website Tuesday and for several hours caused havoc for users who were redirected to porn websites and received garbled messages.

Not even White House Press Secretary Robert Gibbs was immune, posting: “My Twitter went haywire — absolutely no clue why it sent that message or even what it is … paging the tech guys …”

Former British Prime Minister Gordon Brown’s wife Sarah — and her more than 1 million Twitter followers — encountered the bug when her Twitter page connected visitors to a hardcore pornography site in Japan.

Hackers used a programming command known as onmouseover, which makes messages pop up and websites open automatically when a mouse cursor hovers over it — even if the user does not click on it. The command also spammed followers with incomprehensible messages.

Twitter said in a blog post that it patched the flaw within four hours and that no user information or computers were compromised. But it was the latest incident to raise concerns about security at the popular messaging service.

The attack did not appear malicious but easily could have been, analysts said. The pop-ups could have contained malicious code to prey on unprotected or poorly protected computers.

A Japanese developer may have discovered the vulnerability , according to Twitter posts, and the first hacker to exploit it on Twitter.com appears to have been Magnus Holm, a Norwegian programmer who uses the Twitter handle @judofyr. He described the code he wrote as harmless.

A spokeswoman for Twitter, which has 160 million users, said it did not know how many were affected.

Analysts said such incidents were unlikely to dampen Twitter’s popularity with consumers or with the advertisers trying to reach them.

“Because Twitter has become such a utility for most of its users, Twitter members just grit their teeth and wait for the problem to be solved,” said Lou Kerner, a social media and Internet analyst with Wedbush Securities Inc. “If the members aren’t turned off by the technical issues, it’s unlikely that the advertisers will be.”

For years Twitter had trouble managing its explosive growth, leaving it more vulnerable to attack, analysts say. Twitter had several major security breaches in 2009. Among them, in January 2009, a hacker got access to the Twitter account of President-elect Barack Obama, dispatching to his followers a bogus offer for free gasoline. In April 2009, a hacker broke into a Twitter employee’s personal e-mail account and accessed profile data and updates of Twitter users.

The attacks prompted a Federal Trade Commission investigation into the security and privacy protection Twitter offers its users. Twitter settled the investigation in June and agreed to set up a security program that would be audited by an outside company.

Unidentified hackers often bombard social networking sites, including Facebook and Twitter. But users worry less about their safety on Twitter than on other services where they store more personal information, Forrester Research analyst Augie Ray said.

Because Twitter patched the problem quickly, “your average Twitter user probably doesn’t even know what happened,” Ray said.

The attack appeared to affect Twitter’s old design, not the redesign it rolled out at a news conference at its San Francisco headquarters last week.

jessica.guynn@latimes.com

Times staff writer Tiffany Hsu contributed to this report.