Andre Yoskowitz
21 Sep 2010 16:18
Popular micro-blogging site Twitter was hit pretty hard today by a newly exposed site exploit, with hundreds of thousands of users affected.
The "onMouseOver" incident, as dubbed by Twitter itself, started early in the morning (around 6 am EST) and was all patched by 12 pm EST, with the main problems fixed by 10 am.
Twitter says the security exploit was caused by cross-site scripting (XSS), which is "the practice of placing code from an untrusted website into another one."
In the case of this morning, hackers submitted javascript code as plain text in tweets that was then executed when others clicked it.
Twitter explains further: "Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an “onMouseOver” flaw -- the exploit occurred when someone moused over a link."
The exploit only affected users of the Twitter website, with 3rd-party platforms and the mobile versions of the site being unaffected.
The official White House Twitter page, with 1.81 million followers, was the highest profile page to be affected.