Three different Twitter users claim to have first exploited the “onmousover” flaw, which is apparently a month old
Confusion surrounds the Twitter hack after an Australian teenager admitted to being the one responsible, but other reports said that a Japanese developer had discovered the flaw and reported it a month ago.
Twitter has since fully patched the flaw, which affected thousands of Twitter accounts. The problem came to light just one week after Twitter rolled out a major redesign of its site.
The code exploited what is known as a cross-site scripting (XSS) vulnerability.
I Am Spartacus
The teen admitted his part in the origin of the exploit after a security firm called Netcraft tracked it back to him. He is apparently just a few weeks off graduating from high school and hopes to study law. He had not yet told his parents about the cyberstorm he’d created.
“I discovered a vulnerability, I didn’t create a self-replicating worm. As far as I know, that isn’t technically illegal,” he said. “Hopefully I won’t get in trouble!”
No, I Am Spartacus
But other reports offer a different view of the Twitter flaw.
According to the Guardian, the original discovery of the XSS hack was made by a Japanese developer called Masato Kinugawa. He said that he reported an XSS vulnerability to Twitter on 14 August- and then discovered that the “new” Twitter, launched on Tuesday 14 September, had the same problem.
He then set up a Twitter account called “Rainbow Twtr”, which showed how the XSS weakness could be used to make tweets turn into different colours. He did this at 10am BST (the afternoon in Japan, but at Twitter HQ on the West coast of the US it was the middle of the night, so nobody was watching for security flaws.)
Kinugawa’s idea was then spotted by others.
No I Am Spartacus
And yet another person also claimed to be behind the flaw, saying that he was the first Twitter member to exploit the flaw.
According to the New York Times, Norwegian programmer Magnus Holm, said that he created his exploit “because I wanted to experiment with the flaw. … The purpose was simply to see if it was possible to create a worm.”
Twitter for its part said in a blog post that the bug had been fixed last month, but was reintroduced by mistake, presumably by the site resdesign.