Twitter has fixed a cross-site scripting (XSS) vulnerability which caused thousands of messages to spread throughout the system. Unbelievably, the security flaw was exposed by a simple JavaScript onmouseover function call. It was first exploited by zzap and judofyr following posts by RainbowTwtr earlier today:
Passing your mouse over the message caused a JavaScript alert and, within hours, spammers were using the flaw to redirect to other websites, change backgrounds, and retweet messages. Fortunately, Twitter fixed the problem before spammers could attempt to steal cookies or load larger JavaScript payloads from external websites.
It should be noted that the bug affected Twitter.com and, potentially, third-party systems opened in a web browser. Security company F-Secure advised users to use applications such as TweetDeck until the problem was fixed. However, all users would have seen rogue tweets.
The system was affected for several hours and a search for onmouseover reveals the extent of the flaw. A few issues surprise me:
- Why didn’t Twitter take down the service immediately?
- Why wasn’t user input fully sanitized? We all make programming mistakes, but this was a fairly fundamental problem.
- Why wasn’t the flaw found sooner? (Perhaps it was introduced in a recent update?)
Please tweet me with your answers. On second thoughts…