Bob Lord

Mediabistro Course

Online Marketing

Online MarketingStarting November 4, learn how to launch a successful digital marketing campaign for your brand! In this course, you'll learn how to create an online marketing strategy, identify the appropriate distribution platforms, and use the web to successfully deliver your brand's message. Register now!

Twitter Explains 'onMouseOver' Security Breach

Bob Lord from the Twitter security team explained the security breach on Twitter.com that occurred early Tuesday morning — in which users who hovered over links were directed to suspect Web sites and spam messages were automatically generated and retweeted — in a post on the Twitter Blog:

The short story: This morning at 2:54 a.m. PT, Twitter was notified of a security exploit that surfaced about a half-hour before that, and we immediately went to work on fixing it. By 7 a.m. PT, the primary issue was solved. And, by 9:15 a.m. PT, a more minor but related issue tied to hovercards was also fixed.

The longer story: The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted Web site into another one. In this case, users submitted JavaScript code as plain text into a Tweet that could be executed in the browser of another user.

We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Read more