Twitter’s had to deal with a second worm over the weekend, this time arriving in tweets beginning ‘WTF’ and containing a link to a URL.
Clicking on the link automatically created a post from the victim declaring an enthusiasm for sex with goats.
Far fewer people were affected than earlier in the week, when the onMouseOver worm crippled the site for hours, but victims included celebrity blogger Robert Scoble.
“Clicking on the WTF link would take you to a webpage which contained some trivial code which used a CSRF (cross-site request forgery) technique to automatically post from the visitor’s Twitter account,” says Graham Cluley from Sophos.
“All the user sees if they visit the link is a blank page, but behind the scenes it has sent messages to Twitter to post from your account. The messages obviously couldn’t be sent if you weren’t logged into Twitter at the time you clicked on the link.”
Twitter says on its status blog that it’s disabled the link. Yesterday, it fixed the exploit and started removing the offending tweets.
However, says Cluley, the attack highlights an obvious security problem that needs to be addressed urgently; otherwise further, perhaps more dangerous attacks could follow.
The attack follows a much more widespread worm last week, known as onMouseOver, which saw pranksters redirecting visitors to third-party websites including hard-core porn pages.