Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

@zzap
Twitter Attack

Australian teen to blame for Twitter's JavaScript meltdown

A 17-year-old Australian whizkid was to blame for the ‘onMouseOver’ issues that plagued the microblogging site.

A 17-YEAR-OLD Australian boy is being blamed for uncovering the Twitter flaw which yesterday saw the site go into virtual meltdown as rogue programmers discovered a way to make users continually retweet blocks of black text.

Pearse Delphin, a self-described “deontological libertarian from Melbourne, Australia” has been credited with discovering the flaw, posting the code to the site and demonstrating how it could be used for ill-effect.

The tweet tricked the site into converting JavaScript code into a legitimate hyperlink, complete with attributes which (when activated by hovering the mouse over it) triggered a pop-up box saying “Uh oh”.

Rickroll

It is understood that, having tweeted to say “No one tell [notorious online messageboard] 4chan about this, ok guys?”, several of 4chan’s users adapted the code so that anyone hovering over their tweets would be instantly redirected to a YouTube video of Rick Astley’s ‘Never Gonna Give You Up’.

The tweet was then adapted in the manner seen by most yesterday – to conceal its hidden message, retweeting itself, with black boxes.

Twitter has said that it had uncovered the problem itself in August and had moved to plug the security hole, but a recent update to its side (separate, it insisted, to the introduction of the so-called ‘New Twitter‘ interface) had unwittingly re-exposed the flaw.

Delphin has told news agency AFP that he posted the maliciously-used code “merely to see if it could be done … that JavaScript really could be executed within a tweet.

“I discovered a vulnerability, I didn’t create a self-replicating worm. As far as I know, that isn’t technically illegal.”

He has also tweeted an apology, saying: “I’ll say sorry, but I’m not taking off my glasses.”

For the benefit of his new Twitter followers, he has since tweeted: “Is this the point where I mention I need a job? I’m just a poor boy, no body loves me … except for the media.”