After receiving numerous reports from the twitterverse and blogosphere, Twitter has finally posted an explanation regarding the “onMouseOver” exploit.
The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed.
The longer story: The security exploit that caused problems this morning Pacific time was caused by cross-site scripting (XSS). Cross-site scripting is the practice of placing code from an untrusted website into another one. In this case, users submitted javascript code as plain text into a Tweet that could be executed in the browser of another user. (Official Twitter Blog)
The company acknowledges that the exploit seemed to be geared more towards pranking users or promotion (note: of what the Twitter teams fails to elaborate), although they also stated that the exploit thus far didn’t seem to cause mayhem upon anyone’s computer.
According to Twitter the “onMouseOver” exploit only affected users tweeting from Twitter.com, as users utilizing official or third party apps (i.e. Twitter for iPad, Echofon, etc.) were not affected.
While this hack did cause an uproar in the twitterverse (as few knew how dangerous the exploit was), it probably justifies Twitter stance on using their own short URL in order to verify links being shared online.
Either way users should always be careful upon clicking links on Twitter, and only click on links from people (or organizations) that they trust.