Bob Lord

Mediabistro Course

Social Media 201

Social Media 201Starting October 13Social Media 201 picks up where Social Media 101 left off, to provide you with hands-on instruction for gaining likes, followers, retweets, favorites, pins, and engagement. Social media experts will teach you how to make social media marketing work for your bottom line and achieving your business goals. Register now!

Twitter Explains 'onMouseOver' Security Breach

Bob Lord from the Twitter security team explained the security breach on Twitter.com that occurred early Tuesday morning — in which users who hovered over links were directed to suspect Web sites and spam messages were automatically generated and retweeted — in a post on the Twitter Blog:

The short story: This morning at 2:54 a.m. PT, Twitter was notified of a security exploit that surfaced about a half-hour before that, and we immediately went to work on fixing it. By 7 a.m. PT, the primary issue was solved. And, by 9:15 a.m. PT, a more minor but related issue tied to hovercards was also fixed.

The longer story: The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted Web site into another one. In this case, users submitted JavaScript code as plain text into a Tweet that could be executed in the browser of another user.

We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Read more