Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Twitter users who granted access to their accounts to the Grader application have begun tweeting a bizarre and unauthorised message.
According to Rik Ferguson, senior security advisor at Trend Micro, Grader is typically used to evaluate a user's ‘influence' on Twitter, but those who have allowed access to their accounts have begun sending a message that relates to Twitter founder Biz Stone promoting Twitter in 2006.
Ferguson said: "Fortunately, the link that has been endlessly tweeted by Grader users does not appear to host any malicious content. It points to a blog with an embedded YouTube video of Biz Stone back in 2006 promoting Twitter.
"The domain name of the destination site, however, might give us a clue to the motivation behind the attack. Seonix presumably refers to search engine optimisation and perhaps that is the real purpose of this attack. Forcing large numbers of Twitter users to tweet a link to the site may well be an effective method of pushing it up the search engine rankings. The domain seonix.org was created on the 11th February 2010 and the details of the owner have been anonymised."
He also pointed out that one of the victims of the attack was Dharmesh Shah, the founder of Grader. Grader is currently unavailable, but Shah posted an update on its sister site HubSpot claiming that a malicious user was able to post tweets impersonating Twitter Grader users that had authorised the application.
Shah said: "I spent much of the afternoon responding to people's tweets, letting them know about the problem and that we were working on it. Everybody's been super-understanding and patient."
He said that the incident was his fault as he was the "one that developed this particular feature that ended up getting hacked" and that he should have known better. He also claimed that HubSpot was shutting down several of the grader applications (not just Twitter Grader) and will be reactivating them on completely new servers with increased security.
Shah said: "The application and associated keys were disabled as soon as we discovered there was a problem and as it stands, no additional action is needed for users. Your username and password were not compromised - but it is never a bad idea to change your password periodically.
"We are working on a permanent resolution which will allow Twitter Grader to be available publicly again. Until this work is complete, neither Twitter Grader nor the Twitter Grader API will be available.
"My sincere apologies to all the users that were harmed by this security breach. This one really bothered me because all of you work hard to build trust, reputation and community on Twitter. These malicious tweets went out to your followers and compromised that trust. I really hate that I was responsible for that. And, to whoever it was that hacked in and sent out those tweets: that was not cool."
Ferguson said: "Message to users is: be aware and alert as to what you have and have not posted on Twitter. If you see a tweet that you know you did not post, please look where it came from (e.g. via an external service such as Gradar). If it has come from an external place, please make sure you revoke the permission to the application in your Twitter account."
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.