MELBOURNE—Don’t let the name Pearce Delphin fool you—the boy behind it is not as innocent as his name implies. In fact, if his claim is accurate, the 17-year-old lad from Melbourne is at least partly responsible for the Great Twitter Takedown of 2010, even if he only inadvertently used a piece of JavaScript code that resulted in the now infamous “mouseover” attack.
“Pearce Delphin, or @zzap on Twitter, says he exposed the security flaw by tweeting a piece of code with an onMouseOver JavaScript function, which caused a pop-up to appear when a user merely moves his mouse cursor over the message,” reported Mashable.
The chaos that followed was short-lived but epic in its impact on the Twittersphere’s sense of security. While identity-theft issues have plagued the short-form blogging tool over the years, it had managed to avoid the sort of rolling blackouts—or in this case, redirects, to porn sites, no less!—that so many other platforms have had to deal with, until now.
Delphin is only partly to blame for the extent of the attacks, however. An English security firm reportedly traced the source of the code to him within a few hours of his original post, but it was too late to prevent its modification by others, with the resulting auto retweets, open pornographic websites and general havoc unleashed upon the world. White House press secretary Robert Gibbs and Sarah Brown, wife of Britain's former Prime Minister Gordon Brown, were just two of the untold thousands of people impacted by the bug.
“I did it merely to see if it could be done … that JavaScript really could be executed within a tweet. At the time of posting the tweet, I had no idea it was going to take off how it did. I just hadn’t even considered it,” Delphin told AFP by email.
Delphin, who lives with his folks and will be graduating high school in the near future, also said that he modified previous JavaScript code that another user had used to color his tweets.
News reports have identified the other user as a Japanese developer named Masato Kinugawa, who Mashable reports said he reported the XSS vulnerability to Twitter on Aug. 14. It was apparently patched at that time, but he later discovered that the vulnerability was exploitable again, so he created a Twitter account called RainbowTwtr, which he used to prove that the flaw could be used to create colored tweets.
All of this was known to Twitter, which acknowledged on its blog, “We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.”
As mentioned in an earlier report, people using the new Twitter website were apparently unaffected by the bug, but caution on the part of the company is highly warranted, considering the ease with which this vulnerability was exploited more than once.
As Mashable suggests, “Twitter should take a good look at its security before an attack similar to this one causes a lot more damage.”
