Skip to main content

Twitter Fixes XSS Vulnerability

Twitter has announced that it has managed to solve the exploit that allowed a cross-site scripting (XSS) vulnerability to use a Javascript command to spread tweets with spammy links that redirected users to adult sites and potentially compromised websites.

Tweets with links containing the command string "onmouseover" redirected Twitter users whenever they hovered their mouse icon on the link, which means that clicking on the link was not even a prerequisite for being infected.

The author of the original attack is someone by the name of Magnus Holm who turned the exploit into a worm but a Japanese guy, Masato Kinugawa, has been credited with actually finding the vulnerability.

At its peak around 70 new tweets were generated per second and in the end, more than 200,000 tweets. However, others with darker motives soon turned the proof of concept in a spamming spinning machine within hours.

Twitter has already confirmed that they have identified and patched the XSS vulnerability within two hours of discovering it. During the attack, users were encouraged to use third party applications like Tweetdeck rather than the main online interface.

Désiré Athow
Désiré Athow

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.