Twitter has suffered a cross-site scripting (XSS) attack via a security flaw on its new website, forcing the social network to identify the attack and roll out a patch. Over the last few hours, users were tweeting about a "mouseover security flaw," saying that "Twitter got hacked." The security flaw in question allowed messages to pop up and third-party websites to open in a browser simply when users moved their cursor over a link (clicking was not required) thanks to JavaScript's "onmouseover" function.
The malicious messages spread very quickly, exploiting the vulnerability without the consent of users, likely because the onmouseover function can be used to automatically fill out a form for the user that posts a message to all followers. Users of third-party Twitter applications were not affected by the flaw because they don't use the onmouseover function; it appears that only users surfing the newly updated web version of Twitter were affected, but this number is still estimated to be in the thousands.
The Twitter Status blog today warned users and kept them updated. "We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," the posting explained. "We expect the patch to be fully rolled out shortly and will update again when it is. Update (6:50 PDT, 13:50 UTC): The exploit is fully patched." At the time of writing, the message had been retweeted over 5,000 times.