This is a serious #fail on Twitter’s part. This morning some clever Twitter user crafted a Twitter tweet that spread like wildfire on the service. Using an attack known as a cross-site script, the exploit soon infectet many thousands of Twitter users.
The Tweet used a simple Javascript code (the “onmouseover” command) to point unsuspecting users to a website at t.co. Then the Javascript dutifully retweeted itself using the following code (modified for safety):
http://localhost/@”onmouseover=”document.getE1ementById(‘status’).value=’RT nobody’;$(‘.status-update-form’).submit();”c1ass=”modal-overlay”/
All a user had to do was run her mouse over the Javascript code and bam, it struck.
Twitter should’ve known better and filtered out posts that include Javascript.
Update: There doesn’t seem to be anything inherently evil about this script. All it appears to do is retweet itself. Still, it shows that the more sites like Twitter and Facebook push page-rendering and other tasks out to the browser using Javascript (or AJAX) there are bound to be security holes.
Twitter has now patched their system so that the attack cannot happen again.