When the Bird Flies Through the Loophole

Security is an issue we frequently address on this blog, and unfortunately, it’s time for another look at this popular topic. Twitter’s redesign brought about some great features, but one of the ugly secrets of the redesign was exploited by malicious sources. Yesterday morning, when you rolled over a link on Twitter.com with your mouse, the link opened on its own, sending the user to sites ridden with spam, malware and NSFW content. Twitter called the loophole “onMouseOver.”

From Twitter’s blog:

The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed.

The longer story: The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user.

We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Security issues like the “onMouseOver” incident are hard to avoid as a technology consumer, but developers have the opportunity to test for issues like the one above before curious users with too much time and a hand for mischief come around. It’s the same for all technology professionals: we have a duty to explore all possible loopholes before they become the size of train tunnels.

How are you analyzing your technology for possible loopholes? Share below in the comments.

@ddbrown

This entry was posted in General and tagged , , . Bookmark the permalink.
  • Why Patch Management is so important:

    You’ve seen the news and read the articles. The recent ransomeware attack is being called the largest ransomware attack in internet history. But did you now that the damage could have been avoided if those computers had been properly patched? … Continue reading

    ...more
  • Admin Terms of Use Contact Us