Twitter has fixed a cross-site scripting (XSS) vulnerability which caused thousands of messages to spread throughout the system. Unbelievably, the security flaw was exposed by a simple JavaScript onmouseover function call. It was first exploited by zzap and judofyr following posts by RainbowTwtr earlier today:
Passing your mouse over the message caused a JavaScript alert and, within hours, spammers were using the flaw to redirect to other websites, change backgrounds, and retweet messages. Fortunately, Twitter fixed the problem before spammers could attempt to steal cookies or load larger JavaScript payloads from external websites.
It should be noted that the bug affected Twitter.com and, potentially, third-party systems opened in a web browser. Security company F-Secure advised users to use applications such as TweetDeck until the problem was fixed. However, all users would have seen rogue tweets.
The system was affected for several hours and a search for onmouseover reveals the extent of the flaw. A few issues surprise me:
- Why didn’t Twitter take down the service immediately?
- Why wasn’t user input fully sanitized? We all make programming mistakes, but this was a fairly fundamental problem.
- Why wasn’t the flaw found sooner? (Perhaps it was introduced in a recent update?)
Please tweet me with your answers. On second thoughts…
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
