Video settings

More video
56K modem

Video will begin in 5 seconds.

Automatically detect my connection speed (recommended)

But later, some mischievous users of the site started using the exploit to make people “retweet” infected messages (when they hovered over a tweet with the code inserted) that they had not authorised. “I analysed the code within these ‘rainbow tweets’ more carefully, and it became evident that you could use any Javascript or HTML [code] rather than just CSS [code] - which meant that instead of just changing the appearance of the tweet, you could actually execute commands within the user's browser."

He said that after he started noticing the exploit, some of his followers "realised the power" of the vulnerability, "and within a matter of minutes scripts had taken over my [Twitter] timeline". "First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. "In all the four years of using Twitter, this is the first time I recall a security hole spreading at the rate it did."

Asked what he had gained from discovering the exploit, he laughed, saying: "Apart from [Twitter] followers?"

More seriously, he added: "I guess I have gained knowledge of how easy information can spread throughout social media networks. Twitter user @judofyr was then the first one to create a self replicating retweet worm by accident, he said, while some New Zealand Twitter users used the vulnerability to create a malevolent worm deliberately. "The effects on the site had it been day time there could have been a lot worse. "I guess regardless of power or fame, on the internet you have to be as careful as everyone else about security risks; this is one of the few areas that affects everyone on an equal scale."

News site Netcraft said it appeared as though Pearce found the exploit by looking at another Twitter page that took advantage of a similar exploit but only changed the colour of Twitter messages. Literally moments after I had tweet[ed] the ... He said it was first discovered by Twitter user @kinugawamasato, who changed the colour of tweets. "Luckily when this vulnerability first got out, it was apparently the middle of the night in North America," he said. He said "theoretically this could be used to maliciously steal users' account details". exploit prior to it being touted in public. Pearce was then the "first person to report the Javascript vulnerability", he said, which made alert boxes appear when users hovered over tweets. But "the problem was being able to write code that can steal usernames and passwords while still remaining under Twitter's 140 character tweet limit", he said. "Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge."

It said the "vast majority" of exploits related to this incident fell under the "prank or promotional" categories. He said it was Twitter's responsibility, not his, to keep the site secure. However, we are not aware of any issues related to it that would cause harm to computers or their accounts," it said. Twitter engineers were pressed into finding a fix for the exploit within hours of it being discovered. Twitter, which allows users to pepper one another with messages of 140 characters or less, has more than 145 million registered users, co-founder Evan Williams said recently.The author of this post is on Twitter: @bengrubb

With AFP Speaking to this website, Pearce, who is studying year 12 at Penleigh and Essendon Grammar School, said that he was surprised that "so many famous people got infected". "Not wanting to get my account banned, since I've been a Twitter user since 2006, I was very careful to the kind of script I posted (unlike some, who were very liberal at posting self replicating worms like @Matsta, who subsequently got their account suspended)," he said. Pearce confirmed this, however, there has been some confusion over who first created certain parts of the exploit. script, I had dozens of replies in shock, questioning how I managed to do that."

Realising this, he said, it got him thinking how hard it would be to extract personal information from a user using the exploit. However, the fact that this vulnerability was omnipresent for hours, with no word from any of the Twitter staff, before it was fixed, meant there was lots of confusion and distress within the Twitter community, as the safety of the site was questioned."

Asked whether he thought it was irresponsible to discover and then tweet the exploit he had found, he said: "The situation could have been handled better if Twitter had been notified of the ... Pearce added that this was "the first time" he had found any kind of exploit on Twitter. Pearce said Twitter "probably could have handled it better" when questioned on its ability to fix the exploit. After a "little bit of coding", he said he "managed to generate a dialog box containing the data from within the Twitter cookie file". "And, there is no need to change passwords because user account information was not compromised through this exploit."Security expert Graham Cluley of computer security firm Sophos said the bug only affected users of the website and not third-party programs developed to access the popular microblogging service.Mr Cluley said the bug was allowing messages to pop-up and third-party websites to open in a web browser including links to pornography sites.He said that Brown's tweets had redirected followers to "a hardcore porn site based in Japan"."It looks like many users are currently using the flaw for fun and games," Cluley said. "But there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed," he said.The infected links look like regular "tweets", but contain lines of random computer code or are completely blacked out like a message that has been redacted. "Users may still see strange retweets in their timelines caused by the exploit. "When one considers entities like the White House, you don't expect someone to actually be sitting there refreshing the Twitter home page and mousing over links from whoever they're following," he said. He said he gained an extra 130 followers from tweeting about the exploit. "However, it is not the job of the user to protect the integrity of a third party site; Twitter ultimately has a responsibility of ensuring its site is safe for its users itself."

Computer security firms said thousands of users, or more, were affected by the exploit.Those whose accounts were hit included Sarah Brown, the wife of the former British prime minister Gordon Brown, who has more than a million Twitter followers, and White House press secretary Robert Gibbs."My Twitter went haywire - absolutely no clue why it sent that message or even what it is ... paging the tech guys," Gibbs wrote on the site.Twitter said it had identified the attack and that it had been "fully patched". "Early this morning, a user noticed the security hole and took advantage of it on," Twitter said on its blog.

Twitter hacked

Feedback to producers

Medium-speed broadband (300+ Kb/s)

Twitter for dogs has arrived

Replay video

Provide feedback to the multimedia producers.
Click to play video

Don't play

Video feedback

Click to play video

Click to play video

Return to video

Gadgets for modern media
Ask for technical assistance in playing the multimedia available on this site, or


Video settings
The social network was speedily alerted by a stream of angry tweets. Twitter was the target of a hack, which caused an invasive pop-up to occur.

Video feedback

Use this form to:
Video settings form


An Australian teen has caused havoc on Twitter by discovering an "exploit" that hit thousands of users, including US President Barack Obama's press secretary, and resulted in the tweets of a former British PM's wife linking to hardcore porn. Illustration: Ben Grubb/wires Twitter CEO Evan Williams and Pearce Delphin (@zzap). Melbourne student Pearce Delphin, 17, triggered the Twitter scare by testing computer code that opened alert boxes in web browsers saying "uh oh" when a user hovered over infected messages or tweets, with their mouse.


High-speed broadband (600+ Kb/s)
Thank you.
What type of connection do you have?

Web inventor rejects 'dead' claim

Click to play video

Technical help

Return to video
Video feedback
Return to video
News anchor in marketing scam
Your feedback was successfully sent.
Video feedback form
Play now

Home broadband (100+ Kb/s)

Note: A cookie will be set to keep your preferences.