Twitter blames upgrade for onMouseOver flaw

Posted by Emma Woollacott

Oops: Twitter says it had already identified and fixed the security flaw that left the site in chaos yesterday - but then messed up that fix with a later update.

The company moved fast yesterday to close the hole, saying the main issue was resolved in a little over four hours, and the loose ends tied up within six.

But, it says, yesterday's events wouldn't have happened at all had it not been for the fact that when the company made a website update recently - unrelated to New Twitter, it says - it reintroduced the flaw.

"This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit," says Twitter's Bob Lord.

"However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit."

While the flaw may have been discovered independently by more than one person, a 17-year-old Australian schoolboy, Pearce Delphin, believes he kicked the whole affair off.

"At the time of posting the tweet, I had no idea it was going to take off how it did. I just hadn't even considered it," he told AFP.

And security form Netcraft suggests that the lad - known as zzap - discovered the vulnerability after stumbling across RainbowTwtr's manipulation of the same flaw. RainbowTwtr - a Japanese developer - is believed to have started taking advantage of it to display the colors of the rainbow last month.

"Zzap (jokingly?) suggested that nobody should tell the 4chan forum about the XSS vulnerability; however, some other users have already started Rickrolling other users by tweeting Rick Astley lyrics in pop-up JavaScript alert messages," says Netcraft's Paul Mutton.