• The worm exploits a vulnerability in Twitter, already patched, when used directly through the Web to propagate and provoke a series of unusual events
  • User mouseovers on the URL could redirect to third-party pages, generate strange messages or blackouts, giant letters, etc.
  • As many as 1,000 infections every 10 seconds had been recorded
  • The attack is fully patched now and no longer exploitable

This morning, Panda Security witnessed the first massive infection of the popular Twitter social media site. Many users were astonished to see a strange string of characters appear in their profiles.

This is down to a vulnerability in Twitter, already fixed, that leaded to various unexpected events when users on twitter.com mouse over these tweets:

  • The malicious string can be automatically sent to followers, furthering the distribution of the malicious tweet.
  • Strange messages appear with giant letters, dialog boxes reading “Hello”, blacked out tweets, etc.
  • Anyone visiting their profile may be redirected to another Web address.

The vulnerability allowed javascript to be run, opening a host of possibilities to users with malicious intentions.

According to Luis Corrons, Technical Director of PandaLabs: “The main danger could be that the URL used in the attack could exploit another vulnerability to infect users’ computers. If, in addition to retweeting the code, a criminal were to embed the URL with drive-by-download techniques, we would be looking at millions of potential victims, though this is unlikely as Twitter will presumably fix the security hole before this happens.”

The source of the attack would appear to be an account created in Twitter, called Rainbow, the name which has now been given to the worm:

Initially, the first injections of javascript were simply jokes, though they have gradually evolved, and it would seem that some users have been using the vulnerability for other more serious ends.

Twitter clients that didn’t run javascript, such as TweetDeck, were unaffected, and allow users to continue using the social network without risks. You can now use the Twitter site directly, as the vulnerability has been patched.