Twitter has posted an official response to the “onMouseOver” security flaw that hit the Twitter.com website earlier this morning.
In the official post, Twitter security team member Bob Lord lays out a timeline of the attack, its underlying cause and the scope of its reach.
As we noted earlier this morning, using cross-site scripting (XSS), malicious users were able to exploit a security hole on Twitter’s website. The result was that thousands of users found themselves redirected to other websites, and that they were automatically sending tweets to pass the exploit to others.
This type of attack was particularly nasty because it could be exploited simply by hovering over a link on a page. In my own case, merely visiting the Twitter homepage was enough to set off a pattern of auto-tweets.
Twitter says that it discovered the hole that led to the exploit last month and patched it. However, a recent update to the site (which Twitter stresses was not related to the new Twitter) caused the hole to resurface.
The exploit only affected Twitter.com users and not anyone using the mobile web site or third-party Twitter apps. Twitter says it was notified about the security hole at 2:54 am PT and had the most significant aspects patched by 7:00 am PT.
The microblogging service also says that it appears that the vast majority of uses of the exploit were for pranks or promotional purposes. Lord writes that Twitter is unaware of any issues related to the attack that would have any impact on a user’s computer or Twitter account. No account information was compromised, so changing passwords shouldn’t be necessary.
While it appears that this incident resulted in more annoyances for users than any long-lasting damage, it is a good reminder of just how quickly even large website can be exploited. For Twitter’s sake, we hope that more code auditing takes place when applying patches to avoid some of these incidents in the future.
More About: javascript, malware, mouseover, security, twitter, twitter exploit, xss exploit
For more Tech coverage:
- Follow Mashable Tech on Twitter
- Become a Fan on Facebook
- Subscribe to the Tech channel
- Download our free apps for iPhone and iPad