Twitter users hit by 'WTF' viral message

The malicious message sent users to a web page, which then spread vulgar messages around the microblogging site, according to security firm Sophos
Written by Tom Espiner, Contributor

Twitter users were hit by a message worm over the weekend less than a week after a JavaScript hack opened pop-ups and browser windows.

The latest hack, which the social-media company fixed on Sunday, used a cross-site request forgery technique to automatically post from an infected user's account, according to security company Sophos.

"Twitter has responded rapidly to shut down a new worm, which spread vulgar messages from many affected users' accounts saying they err.. were fond of goats," wrote Sophos senior technology consultant Graham Cluley in a blog post on Sunday. "Users found their accounts were posting the message of goat romance after they clicked on links reading: WTF."

People who clicked on the link were sent to a site that appeared to be blank but contained approximately 15 lines of code, Cluley told ZDNet UK on Monday. The code used a cross-site request forgery technique to post a message about "wanting to do things with a goat" from the users' Twitter account, and also to distribute the link via Twitter, he said.

High-profile Twitter users, including technology blogger Robert Scoble, fell victim to the attack. "Someone I knew tweeted the WTF link, and that got me to click," Scoble wrote in a post to Twitter on Sunday. "I'm too trusting, I learned. Sorry."

Twitter said on its status page on Sunday that the issue had been resolved. "We've fixed the exploit and are in the process of removing the offending tweets," the company said.

The exploit appeared to be merely mischievous, Cluley said, but added that the Twitter flaw could easily have been used to propagate malicious code. He suggested that the microblogging site could use a cryptographic authentication mechanism, called a 'nonce', to verify a message source.

On Tuesday, Twitter was widely exploited by pranksters. The hack employed a JavaScript command called 'onmouseover' to launch pop-ups and browser windows to third-party sites.

Editorial standards