30 Sep 2010

Twitter: Site update to blame for spam vulnerability

Twitter blamed an update to its website for re-opening a vulnerability that recently allowed cyber criminals to spread spam. The micro-blogging site said it had patched the hole a month ago, but the site revamp exposed the weakness again.

The vulnerability that allowed JavaScript to be injected into tweets was initially discovered by a Japanese developer, who used the hole to spread rainbow tweets. The more recent attack was more malicious, redirecting users to pornographic and shock websites.

Spam quickly spread throughout the social networking site, infecting as many as 500,000 users according to an internet security company's estimate. That's a rate of 100 per second.

Twitter said the vulnerability was quickly patched, and that users need not fear a greater security risk.

"There is no need to change passwords because user account information was not compromised through this exploit," the company posted on its blog.

But the vulnerability was unrelated to the New Twitter, a complete site re-design the company rolled out this month. Page displays and the organization of information were all changed in a massive overhaul. Twitter insists the latest vulnerability was exposed in a separate update.