Twitter patched onMouseOver flaw last month

Twitter has admitted that it issued a patch last month for the cross-site scripting flaw which caused havoc on the micro-blogging site yesterday, but that a site update "resurfaced" the flaw.

Bob Lord, of the Twitter security team, explained in a blog post that the so-called 'onMouseOver' flaw, which appeared at around 10.30 yesterday morning, was fully fixed by 5pm.

Lord explained that one Twitter user noticed the security hole early on, and decided to take advantage of it.

"First, someone created an account that exploited the issue by turning tweets different colours and causing a pop-up box to appear when someone hovered over the link in the tweet," he said.

"This is why folks are referring to this as an 'onMouseOver' flaw. The exploit occurred when someone 'moused' over a link."

Lord explained that other users then added code that caused people to retweet the original tweet without their knowledge.

However, Lord admitted that his team had "discovered and patched this issue last month", but that "a recent site update (unrelated to the new Twitter) unknowingly resurfaced it".

The admission will be an embarrassing one for Twitter as the company struggles to prove that it can be trusted to run a safe and secure site.

Sophos senior technology consultant, Graham Cluley argued that the revelation points to what appears to be "some pretty shocking quality control".

"Hopefully they'll learn from this blunder and ensure that they have better processes in place in future," he added.

Just last month Twitter announced support for a new authentication system for people using third-party applications to read or send tweets, in a bid to boost the security and usability of the site.

• Tweet  
• Facebook  
•  
•  
• Send to  

• Topics
• Security
• Software
• Social Networking
• Twitter