A Japanese Implies He Began Today’s Twitter XSS Atack Storm

[Update] Title changed

As TechCrunch reported, the security attack letting twitter.com login users to post any tweets has been spread within hours all over the twittersphere. Because the attack utilizes the Twitter’s cross site scripting bug and Javascript onmouseover, it was easy to force people using Twitter web clients (both PC and mobile) to re-post the attack code. There are tricked users observed in many languages.

Although the one variant which British ex-prime minister’s wife Sarah Brown distributed pointed Japanese porn site, Japanese Twitter users seemed to catch scripts which are rather harmless, “Rainbow Twitter”, “Konnichiha Konnichiha”, etc. worms. So Japanese Twitter users could notice the issue without trapping their followers in serious way and could avoid using Twitter.com website and few Twitter clients which have the same vulnerability.

The “Rainbow Twitter”(@RainbowTwtr, now it is safe to visit as Twitter fixed it.), which was claimed to be started by a Japanese blogger @kinugawamasato, who tweeted that he is the person who had reported this vulnerability “XSS-after-@” issues to Twitter on August 14th.

The colour-changing tweets were posted around 4:37 p.m. Japan Standard Time. (12:37 a.m. PST) [link]

He wrote “This issue is critical but Twitter had not fixed it for long, in addition, Twitter themselves has been showing their low-awareness to it by leaving this vulnerability. So I decided to show the rainbows, by thinking it is better to let them recognize the gravity of the situation and take countermeasure than the security hole maliciously and secretly used.”

I have not confirmed if this @kinugawamasato’s warning script was the first one among the all different scripts stormed Twitter.

He also tweeted “The issue is being recognized now because distributed in shocking way, but the vulnerability has been there regardless I stated or not. I would like to ask Twitter why they had not fixed urgently before it was widely spread. There were people who noticed the test page.”

What he pointed above is a page on github, source-code hosting service. There Matt Sanford publicized the test code which can cause the same color-change on Twitter on August 25th.

The “Konnichiha Konnichiha”(“Hello, hello” in Japanese) worm was done by @Hamachiya2, who is known to play on XSS security hole with that phrase on many web services including Mixi and Hatena. He seemed to see the Rainbow Twtr and soon tweeted his version.

Also, variant drawing Hatsune Miku seemed widely spread in Japanese twittersphere. The movie is here,

Please install the Flash Player


The following two tabs change content below.
@akky is one of the first Japanese pro-bloggers [J]. He also leads Asiajin, writes a tech column on The Japan Times, consults for some foreign companies interested in Japanese web market. (please inquire to akimoto on gmail.com).