Twitter Security Flaw Now Resolved

Published on 22nd September 2010 by Brett M. Christensen

I have been receiving a number of enquiries about a security breach that affected many users of the popular social networking service Twitter. Such a security breach did take place on Tuesday, 21st September 2010. The flaw allowed hackers to wreak havoc on the network for several hours. Many Twitter users reported receiving strange or garbled messages. Many were also redirected to porn or other "untrusted" websites.

However, according to Twitter, the problem has now been resolved. A post on the official Twitter blog notes:

The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed.

The longer story: The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user.

The report further explains:

This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.

For more on the story, see:
All about the 'onMouseOver' incident
Twitter Mouseover Security Flaw Affecting Thousands of Users [WARNING]
Twitter says it repaired security flaw