Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Australian teenager Pearce Delphin has been credited with discovering the onMouseOver scripting vulnerability that hit twitter.com last night.
Delphin said he discovered the vulnerability at around 8pm after seeing @RainbowTwtr use a CSS exploit to change the background colour of tweets.
"Instead of just changing the appearance of a tweet, you could actually execute commands within the user's browser."
Delphin tested his theory by using the 'onMouseOver' command to generate a pop-up box that said: "uh oh".
The concept spread to his Twitter followers, and "within a matter of minutes, scripts had taken over my timeline", he said.
Curious of the exploit's potentials, Delphin was able to generate a dialog box containing data from the Twitter cookie file in users' browsers.
He noted that other hackers may be able to extract personal information - however, Twitter's 140-character limit also applied to malicious code.
The most malicious code, according to Delphin, was from @Matsta, whose script auto retweeted itself no matter where users moved their mouse within the Twitter window.
"I watched this very closely from the moment it was posted, and it had thousands of retweets within a minute of it being posted," he said.
"You could also write a script to get everyone to auto-follow your Twitter profile. However, I didn't actually see this executed, and I didn't attempt it on my account."
Twitter was notified of the exploit at 7.54am today (AEST), and claimed to have solved the problem within four hours.
The company claimed to have discovered and patched the issue last month, but "a recent site update - unrelated to new Twitter - unknowingly resurfaced it".
Delphin, who had the Twitter account @zzap since 2006, said Twitter's response was adequate, but "they could have handled it better".
"The fact that this vulnerability was omnipresent for hours, with no word from any Twitter staff prior to it being fixed, meant there was lots of confusion and distress within the Twitter community, and the security of the site was questioned," he said.
"Luckily when this vulnerability was first made public, it was apparently in the middle of the night in North America. The effects on Twitter had it been the middle of the day time there could have been a lot worse."
A self-proclaimed "English fanatic" Delphin was completing his VCE studies at Penleigh and Essendon Grammar School with software development and IT as subjects.
The seventeen-year-old said he sought work in security and journalism.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.