Twitter Site Update Opened Hole For 'onMouseOver' XSS Attack

The teen, identified as Pearce Delphin, 17, detected the cross-site scripting (XSS) flaw which allowed JavaScript code to appear as plain text in tweets that could then be launched on the browsers of other users. He then posted the code, which allegedly was obtained by hackers, who used it to propagate a more malevolent attack.

"I did it merely to see if it could be done ... that JavaScript really could be executed within a tweet," Delphin told AFP.

Twitter said that the XSS flaw -- known as the 'onMouseOver' flaw for the type of JavaScript used in the attack -- was one that the company had already identified and patched in August, but was not addressed with its latest site update. Cross-site scripting attacks occur when hackers inject malicious code into a Website.

"We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it," said Twitter in a blog post Tuesday.

During the attack, Twitter.com users were treated to a series of unstoppable pop-ups, and were subjected to multi-colored and pornographic tweets. The attack was dubbed "onMouseOver" due to the fact that it surfaced when users simply scrolled the mouse over the malicious tweet, even if they didn’t click.

Later, other miscreants added code that enabled the attack to retweet users' original tweets without their knowledge.

The "onMouseOver" attack spread rapidly and affected thousands of users before Twitter was able to effectively shut it down later Tuesday morning. Among the higher profile victims were White House Press Secretary Robert Gibbs and Sarah Brown, wife of former British Prime Minister Gordon Brown.

However, one mitigating factor was that the attack only affected Twitter.com but not the micro-blogging site's mobile Website or mobile applications such as TweetDeck and Tweetie.

Twitter maintains that the attack was not executed to steal users' login credentials or personal account information, and reassured them that they needn't scurry to change their usernames or passwords.

"The vast majority of exploits related to this incident fell under the prank or promotional categories," Twitter said. "Users may still see strange retweets in their timelines caused by the exploited. However, we are not aware of any issues related to it that would cause harm to computers or their accounts."