#Onmouseover over for now, but not for good

Only two days after the “#onmouseover incident,” several of the users responsible are already known.  According to the Twitter blog:
“The security exploit that caused problems this (Tuesday) morning Pacific time was caused by cross-site scripting (XSS).  Cross-site scripting is the practice of placing code from an untrusted website into another one.  In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user.”  The code caused a pop-up to appear when a user even moved their mouse over the message- hence the name #onmouseover.”

The message was quickly modified to do other things, from automatic re-tweets to opening new websites leading to advertisements or surveys.  In just a few hours before the vulnerability was patched, thousands of Twitter accounts were affected, including press secretary Robert Gibbs.   

An Australian teenager claims to have spotted the vulnerability initially, though there is some question as to the truth of this.  He also claims he only used it to create a pop up.  Several other users then modified it creating the viral code. Twitter claims that most of these exploits were used for either pranks or promotions rather than to cause any harm and that no one’s account information was compromised.  They stated that although the flaw had the potential to be very serious, relatively little damage was actually done.

Interesting things to note include that only users who were actually on the Twitter website were affected.  Many users post to Twitter using third-party clients (we use Hootsuite for example) and these services were unaffected by the exploit.  

It is also interesting to realize that this is not a new issue for Twitter.  They had been notified about the flaw and patched it about a month ago. Social networking sites update frequently, and in the most recent update this was overlooked and the flaw resurfaced.  In a BBC news article, a researcher from Saphos said that this was a common problem when the site updates. The article reported that:  “once an exploit had been found there would be a raft of hackers looking for new ones or ways to circumvent the patch.  ‘We've seen it in the past,’ he said. ‘When Twitter says they have fixed a flaw, we see a new exploit again and again.’”  Although #Onmouseover might be over for now, we suspect another related flaw will be exploited as spammers are a tricky sort constantly looking for new ways to get out their message.