Oz teenager admits he’s responsible for Twitter hack

22 Sep 2010

A 17-year-old boy from Australia has admitted he inadvertently caused the massive hacker attack on Twitter yesterday that sent millions of users to a Japanese porn site and knocked down the White House press secretary’s Twitter feed.

Melbourne student Pearce Delphin, whose Twitter name is @zzap, has admitted exposing the security flaw which was then pounced upon by thousands of users and caused havoc for five hours.

The attack took advantage of the main Twitter’s web interface, which fails to disallow the “onMouseOver” Javascript command.

The exploit tries to redirect users to other websites or automatically reports the tweets simply if the user hovers over the affected tweet.

The tweets involved were in large letters, making it difficult to avoid hovering over them.

The flaw was reported by Sophos, who notes that many users are exploiting this flaw just for fun, but warn it could be used for cyber crime.

“There is obviously the potential for cyber criminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed,” said Graham Cluley.

Among those affected include Sarah Brown, the wife of former British Prime Minister Gordon Brown. She then warned users to avoid the affected tweet.

By yesterday evening Twitter said it had fully patched the XSS exploit.

Delphin was one of the first people in Australia to start using Twitter and said the site had known about the vulnerability for months.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com