The 'onMouseOver' incident at Twitter

“onMouseOver” flaw — exploit occurred when mouse was over a link. With XSS on Twitter.com; someone created an account & exploited issue by turning tweets different colors & causing a pop-up box to appear on hoving the link.

TL;DR

On Tuesday, September 21, 2010 morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and Twitter immediately started on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed.

The longer story

The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user.

Twitter had discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an “onMouseOver” flaw — the exploit occurred when someone moused over a link.

Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge.

This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, Twitter has not encountered any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.