Today Twitter users suffered a huge headache as a worm ripped through the site earlier this morning. The cause of the worm has been identified as a cross-site scripting (XSS) hack which, according to reports, was brought to Twitter’s attention over a month ago with no action.
The XSS vulnerability allowed an individual to insert a JavaScript “onmouseover” command into their Tweets that would open a link whenever an individual hovered over it. The hack quickly spread through Twitter,and became so bad that at one point users couldn’t even visit the site’s homepage without becoming infected.
According to The Guardian, the first individual who discovered the flaw was Japanese developer, Masato Kinugawa, who claims to have reported it to Twitter on August 14. Kinugawa set up a test Twitter account (Rainbow Twtr) and tested the flaw by using it to change the color of Tweets. Unfortunately, the exploit was noticed by other users, and more malicious versions of Kinugawa’s hack began cropping up.
Other than assuring users on their status blog that the XSS attack had been “fully patched,” Twitter has not said much about the attack. It was only individuals using the site itself that were affected. Individuals using third-party software to tweet were unscathed by the attack.
The attack has come at a bad time for Twitter, as they are currently planning to launch a new ad-centric version of their site. The fact that third-party software has proven more secure than Twitter itself is bad news for the micro-blogging site.
Related posts:
