IE 11 is not supported. For an optimal experience visit our site on another browser.

Twitter 'onMouseOver' incident traced back to teen, developer

yesterday's "onmouseover" issue The Guardian Twitter's explanation

The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user. We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Kinugawa's idea was spotted by others. It's not clear whether some people had had the same idea, or realised the weakness, but next to spot the possibilty was a Scandinavian developer, Magnus Holm. He spotted the idea and began playing with the idea - and then had the idea of extending the code so that it would retweet itself using the account of anyone signed in to when they moused over the link. At first he thought the worm wouldn't really do anything: "meh, this worm doesn't really scale. the users can just delete the tweet :(" he wrote. Then within a few minutes he saw that it had started spreading virally. "holy shit. I think this is exponential: "3381 more results since you started searching," he said - adding, a few minutes later "This is scary." Others picked the idea up and mutations began to appear. Some were used by a Russian site; others by a Japanese hard-core pornography site. A fresh mutation didn't wait for you to put your mouse over the link (as the warnings about that began appearing within minutes): a revised version turned the whole of the page into a "link", so that any Twitter user who was signed in would automatically retweet the infected link to their followers

told Agence France-Presse (AFP) Mashable

However, in this case, the flaw was so elementary and spread so fast that it’s hard to point at Delphin and consider him solely responsible for the damage it caused (which, according to Twitter, was not very big, despite the fact that the flaw was potentially extremely dangerous). Delphin (together with several others, for example Scandinavian developer Magnus Holm) claims he merely modified the idea from another user who had used the code to make his tweets colored, meaning he was not the first to expose the flaw.