Rough Week for Facebook and Twitter Users

Twitter and Facebook users have had a rough seven days. On Tuesday, a cross-site scripting (XSS) security hole that was found and fixed a month ago was reintroduced by mistake through a Twitter site update, and then over the weekend, Twitter was hit by hackers again.

A Twitter post explained the XSS problem this way:,

"Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an 'onMouseOver' flaw -- the exploit occurred when someone moused over a link.

"Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge."

"This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit."

There are several stories such as here, here and here about who is "claiming credit" for the discovery.

Anyway, as a result, some Twitter accounts went nuts.

 According to the LA Times, "White House Press Secretary Robert Gibbs’ Twitter account sent an unintelligible automatic message to his nearly 100,000 followers Tuesday morning ... ", while the London Guardian reported that, ".. Sarah Brown, wife of the former prime minister Gordon Brown, who has 1.1 million followers on the service, was hit by a version which redirected anyone who hovered their mouse over the infected tweet to a Japanese hardcore pornography site."

You can read about the spread of the virus in a Guardian story here and a timeline of it published in PCWorld here.

Then, over the weekend, Twitter had to stop a worm that ComputerWorld says posted obscene messages to Twitter accounts. A Twitter blog post yesterday says:

"A malicious link is making the rounds that will post a tweet to your account when clicked on. Twitter has disabled the link, and is currently resolving the issue.

UPDATE Sun Sep 26 18:41:49 UTC 2010: We've fixed the exploit and are in the process of removing the offending Tweets."

Facebook also had problems last week. On Wednesday, some Facebook users had difficulty accessing their accounts. Facebook blamed the problem on a third party vendor. According to this news report on Mashable:

"We are experiencing an issue with a third party networking provider that is causing problems for some people trying to connect to Facebook," the [Facebook] told Mashable in a statement. "We are in contact with this provider in order to explore what can be done to resolve the issue. In the meantime, we are working on deploying changes to bypass the affected connections."

Then yesterday, Facebook went down for 2.5 hours in what it termed was the worst outage in 4 years. The problem was caused by a change in a Facebook system that checked for verifying configuration values.

Facebook, in a post providing a detailed explanation of the error, said that the change "ended up causing much more damage than it fixed."

Facebook apologized and said, "... we want you to know that we take the performance and reliability of Facebook very seriously."

A blog post by Kashmir Hill at Forbes says the outage looks suspiciously coincidental. Seems that last week Facebook engineers were musing about what would happen if Facebook were to go out for an entire day.

A Facebook engineer responded by saying, "Human sacrifice, dogs and cats living together ... mass hysteria."

All very Ghostbustersish.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Editor
Robert Charette
Spotsylvania, Va.
Contributor
Willie D. Jones
New York City
 
Advertisement