Home Did Twitter Know About Security Flaw Late Last Month? [Update]

Did Twitter Know About Security Flaw Late Last Month? [Update]

This morning, Twitter.com – the most widely used Twitter client – was hit by an XSS (cross-scripting) security flaw that allows malicious code to be inserted into shortened URLs on the Twitter website. At first, it seemed like fun and games but it quickly became apparent that it could cause some serious issues, and we warned users to keep away from the website.

Now, it appears that at least some at Twitter knew about the security hole late last month, but nothing was done about it until this morning when it began to wreak havoc across the Web.

Update: Twitter has offered an explanation of what happened this morning, noting that it “discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.” It’s good to know that this particular exploit did not sit there knowingly open for the last month.

The exploit, which we wrote about earlier today, allowed a user to insert a bit of Javascript after an “@” included in the middle of a URL. Some of this code, as evidenced this morning, could self replicate and spread wildly, redirecting users of Twitter.com to other websites. At first, it seemed like this would only happen when users moused over links, but then it began to affect all users of the old Twitter.com. According to Georg Wicherski, the XSS code was spreading at a rate of up to 100 tweets per second during the peak of the infection.

On August 23rd, Twitter front-end developer Ben Cherry posted a “code commit” on code-hosting site github that patched the loophole experienced on Twitter.com this morning. As the description of the commit (or code submission) states, the code “closed XSS after the @”.

It seems to us that an XSS loophole of this sort would be a high priority for Twitter to fix and we could only wonder why it wouldn’t have fixed it sooner. Perhaps it wasn’t a high priority with the redesign of Twitter.com on the way? After all, it seems that the loophole does not affect the new Twitter.com.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.