Holm takes the credit for turning the vulnerability into a worm, by making it re-tweet itself, that propagated virally among Twitter.com users.
At first he thought the worm wouldn't really do anything: "meh, this worm doesn't really scale. the users can just delete the tweet :(" he wrote. Then within a few minutes he saw that it had started spreading virally. "holy shit. I think this is exponential: "3381 more results since you started searching," he said - adding, a few minutes later "This is scary." [The Guardian]
Many hackers got on the bandwagon, adapting the script so that anyone who moused over it automatically tweeted a bizarre message, or opened a pornographic website, covered the page in huge letters, or turned the whole page into a link that re-tweeted the worm. The interesting twist is that the vulnerability was previously reported to Twitter by Japanese developer Masato Kinugawa
on August 14 and the site then promptly fixed. But a site update (which Twitter says
is unrelated to the "new Twitter" launch and roll-outs) reversed the patch, making this script hackable again. Kinugawa even made a "Rainbow Twtr" account, now defunct, showing how the vulnerability could allowed him to change the color of his tweets. The hack affected thousands of Twitter users, including the White House's press secretary Robert Gibbs
, who switched to using TweetDeck, as users of third-party applications weren't affected by the bug. Related content: Discoblog: How To Make Your Twitter Followers Uneasy: Use ShadyURLs
Image: Flickr/Monkeyworks illustration