It should be noted that the bug affected Twitter.com and, potentially, third-party systems opened in a web browser. Security company F-Secure advised users to use applications such as TweetDeck until the problem was fixed. However, all users would have seen rogue tweets.
The system was affected for several hours and a search for onmouseover reveals the extent of the flaw. A few issues surprise me:
- Why didn’t Twitter take down the service immediately?
- Why wasn’t user input fully sanitized? We all make programming mistakes, but this was a fairly fundamental problem.
- Why wasn’t the flaw found sooner? (Perhaps it was introduced in a recent update?)
Please tweet me with your answers. On second thoughts…