If you happen to use Twitter or keep up to date with any sort of tech news, you’ve probably heard about the massive ‘onmouseover’ Twitter worm that was spreading yesterday, a popular one mentioned a user named ‘Matsta’ spreading some code that reposted itself around the social networking website.

I may have been partially responsible for this.

The Story
While hopping into bed last night I received a text from twitter/@zzap, a friend who had posted a URL with Javascript which Iinstantly recognised to be a form of XSS attack. Being the geek I am, I opened my MacBook to check out what I could do with this (on a private Twitter account used for testing only).

First things first, what is XSS or Cross Site Scripting? XSS is a type of computer vulnerability typically found in web pages and that allows attackers to insert their own client side scripting into the pages. What this means is that instead of displaying a line of text, your web browser would run the code embedded inside, giving complete control over your Twitter account to an attacker (if they wanted to, in this case there was no malicious code – at least that I saw). In this case, a very small problem in Twitter’s code enabled HTML (the code used to make up web pages) – including Javascript, and thus giving up command to our script.

One of the challenges was keeping the entire script under 140 characters. This includes the overhead that’s required for the actual XSS to work (28% of the total Tweet length in the original tweet by @zzap). I had almost given up trying to create a self-propagating message of any kind when I noticed a Japanese user had (very smartly) reused jQuery to cut down on space and have a self-retweeting message passed around the Twitterverse. It had around 20,000 retweets by the time I saw it, but I thought I could improve on it. What if I could make it retweet automatically, without hovering over the link?

After another 15 minutes of playing around with it, the approach I ended up working with was to manipulate the CSS to make the Tweet text itself take up the entire page, meaning it wasn’t completely automated, but as soon as your mouse cursor moved in any part of the web page, the script would run itself. I ended up reusing one of Twitter’s CSS classes because there wasn’t enough space for me to include my own, which is why I was unable to control the greyed out screen with the code at the top that some users complained of.

The end result? As soon as the tweet was on your Twitter dashboard AND you happened to move your mouse cursor, you spread the script to all of your followers. And as soon as they saw it, they spread it to theirs. Repeat this thousands of times over and you have yourself something very viral in a very short amount of time. It’s the same idea as the Samy MySpace XSS worm of a few years ago.

After I had completed this, I jumped on AIM and saw my friend Matt was online. The conversation went like this:

And the Matsta worm was born.

The Aftermath
Of course, it didn’t stay at ten retweets for long. Matt (had) 800 followers of his own to spread to and I (knowingly) opened up my Twitter homepage and of course, spread to my almost 4,000 followers. Within two minutes of being on the site, the message had already hit “100+” retweets, at which the Twitter web interface stops telling you how popular you are and leaves you on your own.

Interesting sidenote: The developer of Boxcar, a popular iPhone Twitter application that Matt was using to push Twitter to his phone, noted that one of Matt’s Tweets that was on the site for less than five minutes resulted in 61,516 notifications being sent to his iPhone.

A few more minutes pass by before the Twitter interface becomes dead unusable, the unfortunate side effect of keeping my code minimal also means disabling most of the Twitter web interface, oops. I should point out that any application that accessed Twitter via the API such as desktop clients and mobile applications are completely unaffected by this flaw, only people accessing the website themselves. I was surprised that it worked on the new Twitter UI that is being gradually rolled out, as I do not have access to that and thus couldn’t test it myself.

Within half an hour, we were starting to see some more famous users mention the worm. I laughed when an artist I enjoy, Fake Blood, posted that “Some c*nt just killed my Twitter” immediately after resending the message that Matt had let go.

Watching Twitter search was also hilariously entertaining, with (at one point) roughly approx. 200 tweets per second coming in:

Another interesting side effect on the disaster: due to keeping the code within 140 characters, the script was limited to sending out Matt’s latest tweet. As soon as he posted a different message (which he did, about Boxcar on his iPhone going crazy), the code that was already out in the wild started spreading the new message. I doubt 61,000 people would unanimously enjoy reading about a stranger who was bombarded with notifications. The tweet was soon deleted and the worm continued to spread.

Almost an hour and a half later, the Tweets were coming in by the thousands. Shortly after 2am, an hour and a half after the deadly Matsta strain had been set loose, Twitter had patched their code and the exploit no longer continued to work. Tweets continued to pour in at the rate of thousands per hour, including Matt getting insulted in more languages than I knew existed.

Of course, if you have enough Tweets mentioning a topic, you become a trending topic. Definitely a highlight of the evening seeing Matsta on the trending topics list.

At this point, I went to bed as I had an 8:30AM class and most of the fun was over.

The Media Reaction
Of course, half the fun has been reading all of the news stories mentioning @zzap and @Matsta for creating this ‘malicious’ worm that spread across Twitter. As of right now, there are over 1,600 stories on Google News containing ‘Matsta.’ We’ve been on Fox News, The New Zealand Herald, BBC News, New York Daily News + many, many more. Too many to link to separately. (Also, Fox News apparently hasn’t heard of allowing embeds on their videos. What is this, 1999? Not that I really want to give any advertising dollars to supporters of Glenn Beck and Bill O’Riley, but I digress)

Here’s a clip from a local news station demonstrating the bug (and showing my Twitter account) on the nightly national news last night (download)

Of course the reaction in real life has been interesting also. Many of my IRL friends and school acquaintances recognised us in various forms of local publications

And so there you have it, how I accidentally made headlines around the world. Matt has written up his own recollection on his blog that you can find here. Thanks for reading.

I’ve had quite a lot of interest in the events that have happened over the past few days so I thought I would set up yet another blog to post some of my thoughts. Subscribe to the RSS if you wish!

Cheers,
Harrison / @Peppery