The chaos that followed was short-lived but epic in its impact on the Twittersphere’s sense of security. While identity-theft issues have plagued the short-form blogging tool over the years, it had managed to avoid the sort of rolling blackouts—or in this case, redirects, to porn sites, no less!—that so many other platforms have had to deal with, until now.
Delphin is only partly to blame for the extent of the attacks, however. An English security firm reportedly traced the source of the code to him within a few hours of his original post, but it was too late to prevent its modification by others, with the resulting auto retweets, open pornographic websites and general havoc unleashed upon the world. White House press secretary Robert Gibbs and Sarah Brown, wife of Britain's former Prime Minister Gordon Brown, were just two of the untold thousands of people impacted by the bug.
News reports have identified the other user as a Japanese developer named Masato Kinugawa, who Mashable reports said he reported the XSS vulnerability to Twitter on Aug. 14. It was apparently patched at that time, but he later discovered that the vulnerability was exploitable again, so he created a Twitter account called RainbowTwtr, which he used to prove that the flaw could be used to create colored tweets.
All of this was known to Twitter, which acknowledged on its blog, “We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.”
As mentioned in an earlier report, people using the new Twitter website were apparently unaffected by the bug, but caution on the part of the company is highly warranted, considering the ease with which this vulnerability was exploited more than once.
As Mashable suggests, “Twitter should take a good look at its security before an attack similar to this one causes a lot more damage.”