A teenage prank on Twitter turned into the hack heard round the world Tuesday — and VentureBeat now has the story behind it. Through an exclusive interview with the two New Zealand kids whose code spread around the world in minutes, we learned exactly how idle mischief from down under turned the fast-growing microblogging site upside-down.
The incident raised questions about Twitter’s security. The site has swiftly grown to more than 140 million users. It recently raised $100 million in venture capital and is valued by its investors at more than $1 billion. It has gone on a hiring spree, even as many question its plans to make money. And the fact that two teens were so easily able to take it over raises the concern that it’s neglecting security amid its torrid growth.
The hack first spread through an account named @Matsta, who resides in Auckland, New Zealand, the city where I live. I got in touch with Matt, the 17-year-old behind that Twitter handle, to find out the real story.
Matt and his friend Harrison, both high school students, admited that they were involved in spreading the exploitative code. (Both are 17, so VentureBeat is not publishing their last names.) Drawing from our exclusive interview with the pair, who have both blogged about the incident, we now have the story behind the Great Twitter Exploit of 2010.
“When you can make something retweet itself, you have what is essentially the same thing as the Samy XSS worm that propagated on MySpace some years ago — a virally spreading exploit,” Harrison pointed out.
Having laid the groundwork for a successful exploit, Harrison then instant-messaged the code to his friend, Matt (@Matsta), as a joke. “Go to Twitter and copy and paste this into the box,” he said in a message, pointing to the code he had just come up with.
“When I sent it his way, I was mostly curious as to what would happen when the code was posted,” Harrison says.
Matt, who said he was unaware of what the code would do, tweeted it out to his 800 people who subscribed to him on Twitter, and thus was born the infamous Twitter exploit.
Now it’s no secret what took place afterwards. In just over two minutes, the exploit had been retweeted thousands of times, spreading from user to user as they opened their Twitter homepages and saw someone’s tweet.
Jonathan George, the developer of Boxcar, a popular iPhone application which sends Twitter notifications to a phone, noted that one of Matt’s tweets had been retweeted 61,516 times. Needless to say, within minutes, the word “Matsta” was trending on Twitter.
“We had no idea that it would take off in that way,” said Matt. “I only gave it two seconds of thought before I posted the code.”
However, the code was still out and being retweeted until Twitter developers finally fixed the underlying vulnerability at around 9 a.m. Pacific Time. Meanwhile, back in New Zealand, where it was already night, Matt and Harrison headed to bed to get ready for class the next morning.
The news caught fire as they slept. The story was covered by nearly every major outlet around the world. To date, there are over 1,800 news stories containing the word “Matsta”, according to Google News. Back at home, the New Zealand Herald reported the involvement of two fellow Kiwis in the attack, as did a national TV news channel.
As a result, Matt and Harrison’s Facebook pages have since been littered with links to coverage of the incident, with friends and acquaintances congratulating the two for making world news with an idle prank.
Matt has since made a new Twitter profile and hopes the company will let this one slide. “No, I will not hack your Twitter,” he promises in his bio. (Update: it appears Matt’s new account has also been suspended by Twitter. Update 2: Twitter is working with Matt to restore his account, on the promise that he will “report this kind of stuff responsibly before letting it spread.”)
Carolyn Penner, a Twitter spokesperson, said the company would not pursue legal action against either Matt or Harrison.
[Homepage photo: bixentro]
VB’s research team is studying mobile user acquisition: Chime in here, and we’ll share the results.