Twitter: Site Update Unleashed 'OnMouseOver' XSS Exploit

Twitter on Tuesday blamed this morning's "onMouseOver" incident on a recent site update that unknowingly resurfaced a site exploit it discovered and patched last month.

Twitter was notified about the problem at 2:45am Pacific time Tuesday morning, and resolved it completely by 12:15pm, the company said in a blog post.

Earlier today, visitors to Twitter.com found that hovering their mouse over a link could cause pop-up messages and third-party Web sites to open up in their browser – hence the "onMouseOver" name.

"The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS)," wrote Bob Lord with Twitter's security team. "Cross-site scripting is the practice of placing code from an untrusted Web site into another one. In this case, users submitted JavaScript code as plain text into a Tweet that could be executed in the browser of another user."

This issue actually cropped up last month, at which time Twitter fixed the problem, Lord said. But a recent site update – not related to the new Twitter.com – "unknowingly resurfaced it."

Someone noticed the security hole this morning and took advantage. "First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the tweet," Lord wrote. "Other users took this one step further and added code that caused people to re-tweet the original Tweet without their knowledge."

The issue did not affect Twitter's mobile Web site or its mobile apps. Most of the exploits were pranks or promotional in nature, he said. Users might see "strange" activity on their timelines, but Twitter is "not aware of any issues related to it that would cause harm to computers or their accounts." Account information was also not compromised, so users do not need to change their passwords.

"We're not only focused on quickly resolving exploits when they surface but also on identifying possible vulnerabilities beforehand," Lord concluded. "This issue is now resolved. We apologize to those who may have encountered it."

About Our Expert

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio