No data breach in first Weibo attack

Malicious links injected by hacker via cross-site scripting vulnerability in popular Chinese microblogging site nets over 30,000 victims but personal data not compromised, reports indicate.
Written by Tyler Thia, Contributor

China's Sina Corp has confirmed no user data had been breached in the first widescale attack on popular microblogging site Weibo on Tuesday evening, according to media reports.

ZDNet Asia's sister site ZDNet China reported Wednesday that users of the Twitter-like service received a private message with malicious links advertising news, scandals and erotic movie torrents.

The links contained malicious codes and if clicked, would automatically be forwarded to the infected user's followers. Affected users would also automatically follow "@hellosamy" who claimed responsibility for the incident. However, the account was deleted shortly after the attack ended, reports said.

The situation was brought under control an hour later, according to Sina, which estimated that between 30,000 and 32,000 users were affected. The company, which has made a police report, said it is still investigating the attack, and does not know the identity of the attacker or what his motive might be.

Sina also promised to better safety measures for the microblogging site.

ZDNet China revealed that the attacker exploited a cross-site scripting (XSS) vulnerability to run a malware program in Weibo's Web pages, causing the number of affected users to increase multiple fold. While no personal information was breached, users were reminded to clear their cache for security purposes.

Local news site Tengxun.com reported that the hole has been patched, and malicious links are no longer active. It added that the lack of security awareness had made Weibo users easy targets for attacks.

Weibo currently has some 140 million Chinese users and recently launched an English version to compete with Twitter.


Editorial standards