Monday, September 27, 2010

BaaaaBaaaaaaaaaaa—d Twitter Worm!

No, I do not like bumming goats, but apparently a lot of folks who were on Twitter over the weekend admitted that they do.

Obviously it was the latest worm to hit the monster social network in two weeks, and caused a furor that went viral when uncounted throngs of users inadvertently made the startling – and troubling – bestiality admission.

Everyone quickly understood it was a hoax, so the few, the proud and the obscene turned it into a barrage of even sicker humor.

By late yesterday, Twitter had assured users that the worm had been squashed. Here’s a popular blog that described it:

By Athima Chansanchai

We are all slaves to temptation. Let's face it, when something even remotely piques our interest, we have to touch it, or in modern times, click on the WTF link.

Because we're children, you see, and we have to know what that's about. On Twitter yesterday, clicking on that link yielded retweets stating, "I like anal sex with goats." (Today, it's become elevated to "love," but I think it's just some people having fun with it now.) Even if you happen to indulge in that particular fetish, you probably don't want the whole world knowing about it. But too many people were tweeting it out for it to be some kind of dramatic, en-masse pro-goat-sex demonstration.

It didn't have the meltdown effect of last week's "Twitter OnMouseOver Incident," but it did highlight, once again, the vulnerabilities in the Twitterverse.

This particular worm had a few different layers to it.

TechCrunch broke it down:

“Either a lot of Techies are into really kinky things, or there is a Twitter worm going around. It looks like a ton of people just started sending out Tweets saying “I Like Anal Sex With Goats.” This Tweet is followed by another one that says “WTF” and includes a link. Do NOT click on this link; it appears that it will cause you to send out the same series of Tweets from your account.”

Warnings started piping in, such as this one from @pranger: "Don’t Click The WTF Link On Twitter Unless You DO Like Sex With Goats." (I do appreciate the open-mindedness of the choice.)

Others couldn't resist making some wry commentary, such as @hackerTrends: "Toomany people in my timeline are having/love to have sex with goats."

Andrew Nacin, one of the core developers of the WordPress platform, wrote a post about this CSRF attack. Namely, he explains what that means.

“Twitter allows a URL to send a tweet. Many sites and retweet buttons and such rely on it. No POST, no nonce, nothing. Just a simple HTTP GET triggers a tweet. Clearly, someone was going to exploit this eventually.”

“Authentication is not the same as intention. You can’t just determine that a user is allowed to do something, but also that they intended to do something. When intent is not established, and especially when the form can be submitted via a GET request, it makes these kinds of exploits child’s play, as you can see by the complete exploit code below. It’s called a cross-site request forgery, or CSRF (or XSRF).”

TechCrunch let us know that Twitter was onto the problem, and pointed us to the company's blog for a status update.

“A malicious link is making the rounds that will post a tweet to your account when clicked on. Twitter has disabled the link, and is currently resolving the issue.”

Twitter updated its status after that to saying they've fixed the problem and "are in the process of removing the offending Tweets."

I doubt most Twits found the tweets THAT offensive; instead they rolled with it. And today, they're combining yesterday's funny with another annoying viral must-click: the #TwitRank. (I'm just kidding about that must-click. It takes you through some kind of survey. I saw the first page, and backed out, hands up in the air, fast.)

It produces something like @robinbogg's post: "My Twitter Rank is "i love anal sex with goats". What's your Rank? #TwitRank"

— The Curator

No comments:

Post a Comment