Another week, another fast-moving Twitter attack. Just days after engineers stamped out a nasty cross site scripting hole in the company’s Web page, the company had to contend with a worm that used an attack called “cross site request forgery” to post salacious messages and malicious links on victims’ accounts.
The worm first appeared over the weekend, posting two tweets in short succession to victims’ Twitter accounts. The first message made explosive claims about goats and the Twitterer’s sexual preferences, while the second simply read “WTF?” and included a link. Clicking on that link made the reader a victim, too, pushing the same sequence of tweets out through their Twitter account.
Twitter acknowledged the spreading attack by early Sunday and disabled the malicious link, according to a post on the @support blog.
Cross site request forgery attacks take advantage of a user’s authentication to a site to post malicious links or other content through that site. By late Sunday, the company said it had fixed the vulnerability, which appears to have been a cross site request forgery attack that took advantage of the Twitter Share feature.