Twitter is facing heavy criticism after a security vulnerability in its website saw tens of thousands of users redirected to porn sites.
The flaw was exposed on Twitter.com yesterday afternoon, allowing malicious users to submit JavaScript code as a plain-text tweet. That code redirected followers to rogue websites as soon as the victims hovered their mouse over the link. Twitter clients were not affected.
To make matters worse, the code was later tweaked to retweet the malicious message to an affected user’s followers, causing the worm to propagate across the service.
In a statement posted on the Twitter blog, security chief Bob Lord admitted that the microblogging service had experienced the JavaScript bug before.
“We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.”
The Twitter site was left up and running for the entire five hours or more that it took to fix the issue, but the company claims no damage was done.
“The vast majority of exploits related to this incident fell under the prank or promotional categories,” Lord said.
“Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.”
Lord added that Twitter is “focused on quickly resolving exploits when they surface but also on identifying possible vulnerabilities beforehand”.
Additional reporting by Barry Collins
