15:56 Update – Cleaned-up Version
About 1345 my friend Jon Katz tweeted:
http://is.gd/fl9A7 – which the excellent is.gd people rapidly switched off:
This shortened URL has been disabled due to a violation of our terms & conditions. Most likely this link was being used maliciously or was used in spam. Please be careful when visiting links you receive from somebody you don’t know.
For reference and to help those fighting spam the original destination of this URL is given below (we strongly recommend you don’t visit it since it may damage your PC): –
In short: it would propagate and tie-up resources, rather than killing your hard disk or similar.
This is/was a cross-site scripting bug. There is some analysis on http://blog.inspired.no/xss-vulnerability-on-twitter-com-760 that explained it propagated by people mousing-over ‘black squares’ of text – oversize font – on the main twitter web client page.
Osmondmanurung: RT @migueltarga: www.t.co/@"onmouseover="document.getElementById('status').value='RT MiguelTarga';$('.status-update-form').submit();"class="modal-overlay"/
My suspicion was that if it wasn’t patched soon enough, the Worm would be combined with the #TwitterWorm hashtag and propagate through the hashtag most likely to be loaded by people seeking information. Graham Cluley posted a Youtube video demonstrating some of what the bug does on-screen.
It’s a much simpler XSS bug than I originally feared, and it appears to have now been fixed; @moeffju pointed out the mistake I made in my original postings but also helpfully linked to a git repo which gave me the hint to how it actually worked.
What was happening was that the
@USERNAME in the URL, so that the
Hopefully it’s all fixed now, except maybe for the stuff cached in RSS feeds and the like.
Makes rather a nice worked example for posterity.