Twitter exploit fixed, two new features added

21 Sep 2010

Twitter has fully patched the XSS exploit that allowed tweets to redirect users to other websites or repost themselves repeatedly. It has also reportedly added two new features.

The two new features, according to TechCrunch, include ‘reply-to-all’ and ‘autocomplete.’

The reply-to-all feature allows the user to, when they hit reply on a tweet with more than one username, respond to every user mentioned in the tweet.

Auto complete activates when the user types the @ sign, along with two or three letters of a username. A drop down menu with the relevant username will appear.

The attack earlier took advantage of the main Twitter’s web interface, which failed to disallow the ‘onMouseOver’ Javascript command.

It tried to redirect users to other websites or automatically reports the tweets simply if the user hovers over the affected tweet.

The tweets involved were in large letters, making it difficult to avoid hovering over them.

The flaw was reported by Sophos, which noted many users are exploiting this flaw simply for fun, but warned it could be used for cyber crime if ignored.