A 17-year-old Australian schoolboy yesterday said he unwittingly caused a massive hacker attack on Twitter which sent users to Japanese porn sites and took out the White House press secretary’s feed.
Pearce Delphin, whose Twitter name is @zzap, admitted exposing a security flaw that was then pounced upon by hackers, affecting thousands of users and causing havoc on the microblogging site for about five hours.
Delphin, who lives with his parents in Melbourne, said he tweeted a piece of “mouseover” JavaScript code which brings up a pop-up window when the user hovers their cursor over the message.
However, the idea was soon taken up by hackers who tweaked the code to redirect users to pornographic sites and create “worm” tweets that replicated every time they were read.
“I did it merely to see if it could be done ... that JavaScript really could be executed within a tweet,” Delphin told reporters via e-mail. “At the time of posting the tweet, I had no idea it was going to take off how it did. I just hadn’t even considered it.”
Twitter apologized to its millions of users after the “mouseover bug” raged through the site, opening pop-up windows in Web browsers and automatically generating tweets from other accounts.
White House press secretary Robert Gibbs and Sarah Brown, wife of former British prime minister Gordon Brown, were among those hit by the bug before engineers patched it up.
The “Netcraft” security Web site traced the malicious code back to Delphin, who said he got the idea from another user who employed a similar code to make his profile and tweets rainbow-colored.
“After that, it seems like some of my followers realized the power of this vulnerability, and within a matter of minutes scripts had taken over my timeline,” Delphin said.
The glitch was mainly used for pranks, but Delphin said it could have been used to “maliciously steal user account details.”
“The problem was being able to write the code that can steal usernames and passwords while still remaining under Twitter’s 140 character tweet limit,” he said. “Luckily, no one, as far as Twitter admits, actually used this to extract passwords from users.”
Experts said the problem could have been exploited for more sinister purposes by hackers redirecting users to third-party Web sites containing malicious code, or for spam advertising.
Delphin was one of the first people in Australia to start using Twitter, back in 2006, and said the site had known about the problem for “months” but failed to patch it.
The teen is just a few weeks off graduating from high school and hopes to study law. He had not yet told his parents about the cyberstorm he’d created.
“I discovered a vulnerability, I didn’t create a self-replicating worm. As far as I know, that isn’t technically illegal,” he said.
“Hopefully I won’t get in trouble,” he added.
Twitter unveiled a major redesign of its Web site a week ago that is being slowly rolled out to users of the service across the globe. The company said the attack was not connected to Twitter’s revamp.
CONFRONTATION: The water cannon attack was the second this month on the Philippine supply boat ‘Unaizah May 4,’ after an incident on March 5 The China Coast Guard yesterday morning blocked a Philippine supply vessel and damaged it with water cannons near a reef off the Southeast Asian country, the Philippines said. The Philippine military released video of what it said was a nearly hour-long attack off the Second Thomas Shoal (Renai Shoal, 仁愛暗沙) in the contested South China Sea, where Chinese ships have unleashed water cannons and collided with Philippine vessels in similar standoffs in the past few months. The China Coast Guard and other vessels “once again harassed, blocked, deployed water cannons, and executed dangerous maneuvers” against a routine rotation and resupply mission to
GLOBAL COMBAT AIR PROGRAM: The potential purchasers would be limited to the 15 nations with which Tokyo has signed defense partnership and equipment transfer deals Japan’s Cabinet yesterday approved a plan to sell future next-generation fighter jets that it is developing with the UK and Italy to other nations, in the latest move away from the country’s post-World War II pacifist principles. The contentious decision to allow international arms sales is expected to help secure Japan’s role in the joint fighter jet project, and is part of a move to build up the Japanese arms industry and bolster its role in global security. The Cabinet also endorsed a revision to Japan’s arms equipment and technology transfer guidelines to allow coproduced lethal weapons to be sold to nations
Thousands of devotees, some in a state of trance, gathered at a Buddhist temple on the outskirts of Bangkok renowned for sacred tattoos known as Sak Yant, paying their respects to a revered monk who mastered the practice and seeking purification. The gathering at Wat Bang Phra Buddhist temple is part of a Thai Wai Khru ritual in which devotees pay homage to Luang Phor Pern, the temple’s formal abbot, who died in 2002. He had a reputation for refining and popularizing the temple’s Sak Yant tattoo style. The idea that tattoos confer magical powers has existed in many parts of Asia
ON ALERT: A Russian cruise missile crossed into Polish airspace for about 40 seconds, the Polish military said, adding that it is constantly monitoring the war to protect its airspace Ukraine’s capital, Kyiv, and the western region of Lviv early yesterday came under a “massive” Russian air attack, officials said, while a Russian cruise missile breached Polish airspace, the Polish military said. Russia and Ukraine have been engaged in a series of deadly aerial attacks, with yesterday’s strikes coming a day after the Russian military said it had seized the Ukrainian village of Ivanivske, west of Bakhmut. A militant attack on a Moscow concert hall on Friday that killed at least 133 people also became a new flash point between the two archrivals. “Explosions in the capital. Air defense is working. Do not