San Francisco based Twitter.com experienced a short but visible exploit yesterday when someone realized Twitter.com failed to replug an old exploit allowing cross-site scripting. This oversight allowed users to enter scripts in the form of text and caused viewers on Twitter.com who mouseover the tweet to see a color change or retweet without the users knowledge. The security exploit was discovered and fixed within six hours.
Twitter said the exploit did not compromise security or passwords posting an updated on their blog writing
This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.
The White House twitter account with over 1.8 million followers was briefly affected. Twitter pointed out that third party applications such as Tweekdeck were not affected. As the popularity of Twitter grows, they are increasingly becoming the target of viruses, malware, and exploits. Users need to be extra vigilant when using popular sites such as Twitter, Facebook, and Gmail.
Both Facebook and Gmail recently added additional security to protect user accounts. Twitter themselves recently required all third party apps to use OAuth to authenticate preventing those apps from storing user passwords. Additional security steps unfortunately usually means more steps for users. It’s a necessary trade off and just par for the course in using popular social networking services. Users of Firefox also have the option of adding the NoScript add-on to prevent automatic execution of scripts.