Skip to main content

Sergio Dionisio

Either the wife of former British prime minister Gordon Brown really does endorse Japanese porn sites, or somebody discovered a security flaw in Twitter.

The world's most popular microblogging site suffered an embarrassing setback on Tuesday, after users discovered a programming command could be used to direct the site's visitors to other websites - without the visitors ever clicking on a link.

Although Twitter staff quickly fixed the problem, several users became victims of the hack. Most significantly, Sarah Brown - the wife of the former British Prime Minister and an active Twitter user, with more than 1-million followers - inadvertently ended up posting a link that redirected viewers to a pornographic website.

Since its launch four years ago, Twitter has morphed from a digital niche product into a global phenomenon. But as its founders attempt to turn it from a simple text-based notification tool into something much more diverse, the site is facing some minor, but nonetheless annoying growing pains.



The flaw

At the heart of Tuesday's Twitter security problem is a Javascript function called onMouseOver. Simply put, the function is used to execute a command whenever a user hovers the mouse over a piece of text. Variations of the onMouseOver command are present in many other programming languages - for example, many websites use the function to display little chunks of explanatory text when a user hovers over a picture box, in case the picture itself fails to load.

However, in Twitter's case, users quickly found they could use the function to direct a visitor to another website as soon as the visitor's mouse hovered over the text. As a result, visitors could be redirected to potentially malicious sites without ever clicking on a link. Such computer attacks are often referred to as "cross-site scripting," which entails placing detrimental third-party code into a piece of text or other content viewable on a website. A variation of Tuesday's Twitter exploit also caused users to involuntarily re-tweet the original link.



The impact

Twitter argues the vast majority of attacks based on Tuesday's security flaw were harmless pranks - for example, users posting messages that, when a reader's mouse hovers over them, will pop up an alert with a silly message. The site actually fixed the problem last month, but a recent Web page update revived it.

Although the onMouseOver flaw represents little more than a minor headache for the microblogging site, the very nature of Twitter makes such headaches more likely. The site's fundamental purpose is for sharing; as such, malicious links can quickly spread to thousands or millions of users. Indeed, thousands of Twitter accounts exist solely to try to trick users into clicking on links to spam or otherwise malicious websites. The rise of URL-shortening services such as Bit.ly - which obscure the true address of websites - has made it more difficult for users to differentiate useful links from dangerous ones.



The future

Like many new media businesses, Twitter has achieved massive popularity before achieving profitability. As such, the company is constantly trying to figure out ways to expand the simple microblogging service into something bigger. The site recently underwent a design overhaul that incorporates more multimedia components on the homepage.

However, an entire ecosystem of third-party developers has grown around Twitter. Indeed, many Twitter users don't ever visit the site's homepage - instead, they use the service via applications such as TweetDeck and ÜberTwitter. Incidents such as Tuesday's security issue - which didn't affect users of third-party Twitter apps or Twitter's service for mobile devices - will again raise the question of whether Twitter should focus on creating a platform for outside developers, or competing with them.

Interact with The Globe