Major Security Flaw Discovered (and Exploited) on Twitter

Chris CrumSocial MediaLeave a Comment

Share this Post

Update: Twitter has addressed the issue on the main company blog:

The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed. 

The longer version of the story can be read on the blog

Original Article: A security flaw on has been exposed, which lets users post  onMouseOver JavaScript code to make content pop-up right on the site. 

"Messages are also spreading virally exploiting the vulnerability without the consent of users," says security expert Graham Cluley at Sophos. "Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister."

Brown's account was displaying a Japanese porn site. "That's obviously bad news for her followers - over one million of them," says Cluley, who created the following video about the flaw:

A post on the Twitter status blog, from 12 minutes ago, indicates they have things under control. "We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," it says.  

Twitter still has to roll the patch out though. That could take a while to be completed, so consider that. The blog will be updated when the roll-out is complete.

Chris Crum
Chris Crum has been a part of the WebProNews team and the iEntry Network of B2B Publications since 2003. Follow Chris on Twitter, on StumbleUpon, on Pinterest and/or on Google: +Chris Crum.

Leave a Reply