- The worm exploits a vulnerability in Twitter, already patched, when used directly through the Web to propagate and provoke a series of unusual events
- User mouseovers on the URL could redirect to third-party pages, generate strange messages or blackouts, giant letters, etc.
- As many as 1,000 infections every 10 seconds had been recorded
- The attack is fully patched now and no longer exploitable
This morning, Panda Security witnessed the first massive infection of the popular Twitter social media site. Many users were astonished to see a strange string of characters appear in their profiles.
This is down to a vulnerability in Twitter, already fixed, that leaded to various unexpected events when users on twitter.com mouse over these tweets:
- The malicious string can be automatically sent to followers, furthering the distribution of the malicious tweet.
- Strange messages appear with giant letters, dialog boxes reading “Hello”, blacked out tweets, etc.
- Anyone visiting their profile may be redirected to another Web address.
According to Luis Corrons, Technical Director of PandaLabs: “The main danger could be that the URL used in the attack could exploit another vulnerability to infect users’ computers. If, in addition to retweeting the code, a criminal were to embed the URL with drive-by-download techniques, we would be looking at millions of potential victims, though this is unlikely as Twitter will presumably fix the security hole before this happens.”
The source of the attack would appear to be an account created in Twitter, called Rainbow, the name which has now been given to the worm: