Twitter attacked with worms by hackers

Computer worms — packages of malicious software specially written by hackers — attacked the mini-blogging service Twitter Tuesday.

Twitter executives said they quickly patched the security flaw, which had been posted early Tuesday by a Japanese user and exploited by dozens of hackers.

But the worms, some of which redirected users to porn sites, affected hundreds of thousands of victims, including White House Press Secretary Robert Gibbs and Sarah Cameron, wife of British Prime Minister David Cameron.

The incident demonstrated the extraordinary speed with which hackers can exploit such previously unknown, “Zero Day” vulnerabilities.

And it showed the exponential way such exploits spread through widely used and potentially insecure social media like Twitter, which enables millions of users to post 140-character messages called tweets. Users follow each other so their tweets appear on each other’s personal pages on the service Web site.

The worms exploited the same security flaw in software called Javascript, which powers many special features on the Web. The “onmouseover” flaw meant that infected tweets were activated when users just hovered or passed over them with their computer pointers.

Washington Times national security correspondent Eli Lake, an avid user of Twitter, said the worm that infected his service seemed to do nothing more malicious than resend itself to all those who follow him on the service.

“It sent a tweet I didn’t want to send” containing the same malicious code that infected his account, he said.

A Twitter spokeswoman said Tuesday the company had no way of measuring the severity of the outbreak. “We don’t have those numbers,” Carolyn Penner told The Washington Times in an e-mail.

But researchers at Internet security firm Kaspersky said that, at its height, the worms were responsible for tweeting up to 100 posts every second.

“Although accurate numbers are hard to extrapolate from the existing data, the total number of malicious posts could have easily exceeded half a million,” Kaspersky’s Georg Wicherski said.

Twitter Security Chief Robert Lord said the exploit code was first posted at 5:54 a.m. EDT, and was patched by 10 a.m., so the worms using it appear to have struck hardest in Europe, where the vulnerability was unpatched for much of the business day.

The worms did not affect those using Twitter’s special site for mobile devices, because that does not use Javascript.

After Mrs. Cameron’s account posted an infected tweet, she posted a warning to her followers “Don’t touch the earlier tweet — this Twoter (sic) feed has something very odd going on.”

Another victim was the White House’s Mr. Gibbs, who warned at 7:30 a.m.: “My Twitter went haywire - absolutely no clue why it sent that message or even what it is … paging the tech guys …”