Twitter/JavaScript exploit

Guest-post by steveegg

Earlier this morning, there was a rather nasty exploit on the web version of Twitter involving JavaScript. Somebody figured out that the web versions of Twitter, both standard and mobile, allowed JavaScript code inserted into a tweet to be executed. In this instance, the onMouseOver function was used to cause the exploit to be put into the user’s timeline when someone moused over the tweet (which, thanks to other elements of the code, took up essentially the entire browser window).

Fortunately, it did not affect, at least directly, those who use third-party Twitter clients like TweetDeck, Seesmic, or the various mobile phone apps. Even more fortunately, Twitter was able to patch this exploit, so now it’s safe to use the web interface again (or so everybody hopes).

If you fell victim to this, I recommend going back through your timeline, searching for any tweet that has “onmouseover” in it, and deleting those tweets. I further recommend running a full anti-virus and anti-spyware scan ASAP.

Phineas says:

September 21, 2010 at 10:47 am

I saw some bizarre red scribbling all over the page when I checked the web version this morning. That must’ve been why. Thanks for posting this. I’ll run a full check when I get home this evening.

Sister Toldjah says:

September 21, 2010 at 4:13 pm

Thanks, steve!!