Twitter bug spreading, users urged to stay off website

Source: Chicago Sun Times - AP

September 21, 2010
ASSOCIATED PRESS

NEW YORK (AP) — A new way to cause mischief quickly spread through short-messaging service Twitter on Tuesday morning before the site could fix the problem, as mysterious "tweets" of blocked-out text propagated themselves and caused popup windows to open.

Shortly before 10 a.m. (1400 GMT), Twitter said on its "safety" feed on the site that the attack had been shut down. It also said it does not believe that any user information was compromised.

The hack had been extra nefarious because the tweets activated without being clicked on — it was enough for Web surfers to move their mouse cursors over them. But it only affected visitors to Twitter.com. Various third-party programs used to send and read tweets, such as Tweetdeck, were unaffected.

The popups could, though didn't necessarily, contain malicious code that could take over poorly protected computers. The White House's official Twitter feed — followed by 1.8 million users — was among those affected, though the offending message was quickly taken down.

Read more: http://www.suntimes.com/technology/2732050,twitter-bug-security-hacker-mouseover-092110.article

But others will appreciate the warning.

All about the "onMouseOver" incident

Tuesday, September 21, 2010

The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed.

The longer story: The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user.

We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an “onMouseOver” flaw -- the exploit occurred when someone moused over a link.

More:
http://www.stumbleupon.com/su/7EDU1j/blog.twitter.com/2010/09/all-about-onmouseover-incident.html/r:t

all her crazee tweets finally broke twitter.