Twitter says that its team has fixed a cross-site scripting vulnerability on its web interface that allowed several worms to spread across the site on Tuesday morning.

According to The Guardian Technology Blog, a Japanese developer reported the XSS vulnerability to Twitter on August 14. The company launched a new site September 14, and the new site still had the vulnerability.

Twitter said Tuesday afternoon it had fixed the vulnerability, but not before countless malicious Tweets had been sent.

“We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit,” the company said in a status message posted at 6:25 a.m.

The exploit was perfectly simple. You see, when you send a Tweet with a link attached, the URL is converted to a hyperlink. The exploit changed the way the link was translated when you hovered your mouse over it to click.

Twitter has been hacked — just for the fun of it/

The site was overrun on Tuesday morning with posts discussing a programming flaw that pranks users, spread worms, and sends porn to unsuspecting Tweeters.

According to experts, the problem was limited to a JavaScript command in the old Twitter web interface, which is gradually being phased out.

The New York Times reported that one offending post included an “onmouseover” command that caused messages to pop up and sites to open automatically when a pointer hovered over it.

The script caused some users to forward the offending links to their followers — similar to the many Facebook worms that have been found over the past few years.

Twitter hasn’t issued a statement yet, but posted a status page message saying: "We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit." At 9:50 Eastern time Twitter said it had fixed the flaw. (XSS is short for "cross site scripting" and refers to Web-application flaws that enable hackers to inject scripts into Web sites.)

News outlets reported that due to the worm, Sarah Brown, wife of former British prime minister Gordon Brown, was circulating a link on her Twitter page that sent users to a hardcore Japanese porn site.

Twitter user Magnus Holm, who says he’s a Norwegian Ruby on Rails programmer, appears to have started the slaw.

In an email to the Times, Hold said he just “wanted to experiment with the flaw.”

But the hack isn’t so harmless, and it’s led to other acts of online vandalism.

Others appear to be taking the JavaScript exploit and using it for much worse actions.

The Times reported that Holm said one malicious worm “downloaded some nasty code from a Russian server.”

There is no word on law enforcement action yet.

If you haven’t noticed, the internet is getting increasingly shittier with each passing day.

Whether it’s the makers of “The Hurt Locker” threatening to sue anyone who downloaded it, YouTube pulling every other clip that someone posts, or the fact I can’t figure out how to use a goddamn “keygen” so I can get all of this stolen software I downloaded to work, the web isn’t the proverbial “Wild West” anymore.

Hey, at least there’s still a healthy amount of free porn sites available at our fingertips, right?

Although, after reading articles like this, I’m sure that’ll change sooner than later, too.

Anyway, with the series finale of Lost airing this coming Sunday, some impatient fans have been (unsurprisingly) looking for any hints or plot spoilers because they’re either horribly impatient (which is dumb) or, because they’d like to ruin the ending for someone who would be super pissed if that happened (which would be hilarious and awesome.)

Regardless of the intent, fans who are looking for Lost finale spoilers not only aren’t finding them, they’re ending up with a nasty computer virus. Clearly, that’s not the kind of spoiler that anybody’s looking for. More on this story, thanks to the Boston Herald, after the jump.

Well, if you’re reading this, you’ve apparently survived the Conficker Disaster of 2009. Congratulations!

Actually, the Conficker worm, which has been quietly distributing itself across Windows PCs since 2008, was supposed to start phoning home Wednesday. Reports are conflicted whether or not anything has actually happened yet. Most experts agree that it could be a few days until the effects of the virus are known, though predictions run the gamut from a simple botnet that will send more spam or commit DDoS attacks to more sinister actions like stealing credit card information.

While the whole Conficker situation could be a very elaborate but harmless April Fool’s joke, the fact that everyone is so worked up into a frenzy over it shows that computer viruses are still as much of a threat in the ever-connected, ever-computerized world we live in now as they have been.

Last week marked ten years since the first “malware” virus, the Melissa virus, first started wrecking havoc on users’ computers and overloading email systems. While viruses that hijack email clients and propagate by mailing copies of themselves to everyone in address book are largely extinct now, the Melissa virus was a real problem in 1999.

Dmitry Gryaznov, a member of the original McAfee team who discovered and tracked down the Melissa virus, points out that “Ten years ago, malware writers were interested in creating a name for themselves. It’s a vastly different picture today. Cybercriminals are financially-driven; they’re eager to steal personal information and cash-in on the cyber attacks.” It’s true that most viruses in the past were about being flashy, like by deleting important system files. Most viruses today are Trojan programs that watch your computer in the background to steal credit card information and passwords that could lead to identity theft.

It’s important to point out that running a decent virus scanner or just installing the patches that Windows pushes out over Windows Update would have prevented this whole situation from ever happening. Of course, if you’re on a blog like this one, you probably already knew this-or you just run OS X. And if you haven’t, go scan your system-NOW. There are lots of free (http://free.avg.com/) and open source (http://www.clamwin.com/) tools available, so there are no excuses.

Security software vendor PC Tools says that February presents a new risk to consumers who frequent virtual networking websites and who are searching for love online-a group otherwise known as the “digitally active.”

On January 23, PC Tools reported on a new computer worm disguised as a Valentine’s Day program: Waledac worm victims can be infected through links distributed in email or instant messages that redirect consumers to exploited websites, which allows cybercriminals to gain control over the user’s computer.

PC Tools says the “digitally active” are in a higher risk category than other consumers because they frequently use new and alternative ‚ technologies to look for love, such as instant messaging, social networking, dating and adult web sites, popular targets for cybercriminals. According to a recent study by Web of Trust of 19 million web sites, adult websites pose the single most significant security threat for Internet users.

The “digitally active” are also regularly posting their personal information on social networking and dating websites, only to wake up the “morning after” to find their computer has been compromised and that they are a potential victim for identity theft and financial loss.

Here’s a little checklist:

• Do you visit adult websites?
• Do you use your credit card to purchase items when you visit?
• Do you have your birth date, street address, or any other personal information listed on any social networking sites or dating sites?
• Do you often open links through IM or email?
• Do you access the Internet without protection (i.e. security software, browser and firewall protection)?

“Answering ‘yes’ increases a user’s vulnerability to DTD’s,” said Greene.‚  “That’s why PC Tools has developed a list of common sense tips so the ‘digitally active’ can play safe while online.”

PC Tools’ tips for playing it safe for the “Digitally Active.”

1. PRACTICE SAFE EX-CHANGES – Be careful with e- cards

While many people trade e- cards on Valentine’s Day, birthdays and special occasions, be careful about opening e-cards and the associated links-even during an IM or social networking chat. Check the address of the link carefully before clicking on it. If the email or IM is from an address you are unfamiliar with or the link is to a Web site you are unfamiliar with, don’t open it-you could be exposing yourself to a DTD. Likewise, confirm with your friend that they have sent you a file or link to confirm its legitimacy.

2. LOOK FOR LOVE IN ALL THE RIGHT PLACES – Looks can be deceiving…

Just as our virtual networking techniques become increasingly sophisticated so too are the techniques applied by cybercriminals such that it is increasingly difficult to tell the difference between legitimate websites and hacker-created websites.‚ Both adult and dating Websites are known to have a high incidence of malicious code that could steal your identity and finances. It is also important to note that legitimate and reputable sites have also been a target for cybercriminals-be warned, looks can be deceiving! To avoid this, first be on the alert and be aware, only visit and download from websites that are recommended by well-known and reputable sources and never visit any website without protection.

3. DON’T BECOME DATE BAIT AND OVERLY PROMISCUOUS – Don’t give out too many personal details

Social networking, Instant Messaging (IM) accounts, adult websites and online dating sites should only require your basic contact details (for example, name, billing address and contact number) to register for services.‚  Consumers should demonstrate caution if a website requests too much information. Contact them by phone to find out why they need so much information, how they plan to use it and if they have a privacy and security policy to protect you and use your commonsense when updating an online profile. Also, don’t be complacent and use the auto-complete feature in your browser to save your passwords, logins or other personal information-its prime real estate for the cybercriminals.

4. KISS AND TELL – Keep records all online transactions

If a website requires payment for any reason, check out its refund policies, privacy policy and legal notices. These documents should be readily available on the company’s websites and are a good indication that a site is reputable.‚ Consumers should always print and save records of any online transactions, including the product or service description, price and the receipt of payment. If the site turns out to be fraudulent, you’ll need this information to advise the relevant authorities in order to try to get your money back. If you are going to transact online then have a separate credit card for online purchases only that has a low credit limit and is not linked to any other accounts.

5. PRACTICE CONSENTUAL UPDATING – Ensure your computer is up to date

Software companies continually issue updates to fix new security flaws, ensure you update your operating system, browser and security software regularly. Also use a web browser that is known to be relatively safe from Internet threats and vulnerabilities to ensure your computer isn’t exposed to threats where your personal and financial details, as well as your browsing habits, can be accessed by cybercriminals.

6. ALWAYS USE PROTECTION – Install comprehensive security protection

Finally, when being active, both online and offline, always use protection! There are tools consumers can use to protect themselves from DTD’s like spyware, viruses, Trojans, rootkits, and other malware. Leading independent publications recommend installing comprehensive behavior-based security software such as PC Tools Spyware Doctor with AntiVirus or PC Tools Internet Security.

Make sure your security product of choice has real-time protection, proactive behavioral protection, which helps protect against new and unknown threats, an advanced firewall to block unauthorized parties trying to access your computer via the Internet and browser protection which warns you about potentially malicious sites and identifies browser exploits.

Get a free copy of PC Tools’ Internet Security Suite 2009 on the Blast Magazine freebies page!

]]> http://blastmagazine.com/the-magazine/technology/do-you-have-a-digitally-transmitted-disease/feed/ 1 http://blastmagazine.com/the-magazine/technology/worm-found-on-google-orkut/ http://blastmagazine.com/the-magazine/technology/worm-found-on-google-orkut/#comments Thu, 20 Dec 2007 20:08:46 +0000 John M. Guilfoil http://blastmagazine.com/2007/12/worm-found-on-google-orkut/

Almost 400,000 members of Google’s social networking site, Orkut, were victimized by a new spam worm spreading around the site, said McAfee’s Avert Labs.

“While the worm doesn’t appear to harm users’ PCs, it does impact their profile and spread from friend to friend,” said McAfee. “This virus will add the user to a community called “Infectados pelo Virus Orkut” (“Infected by the Orkut Virus”) and starts to send messages to the friends of the infected user. Avert Labs believes Google is working to fight the worm.”

This raises concerns on how to keep the growing number of Web 2.0 sites safe and secure. MySpace and Facebook have faced similar issues recently, and everyone remembers the series of AIM Profile viruses and malicious code.

“I analyzed some suspicious scrap ’2008 vem ai… que ele comece mto bem para vc’ from a bunch of friends on Orkut,” wrote McAfee’s Vinay Mahadik. “For a while it was all over Orkut!! Translated to English, it reads ’2008 is coming…I wish that it begins quite well for you.’”

The worm is spreading through Orkut’s recently introduced tool that allows users to write messages that contain HTML code. The ability to add Flash/Javascript content to Orkut scraps was only recently introduced.

Click here for the full Avert Labs blog post.

The form has been named W32/KutWormer by McAfee.

]]> http://blastmagazine.com/the-magazine/technology/worm-found-on-google-orkut/feed/ 0