Twitter and Facebook users have had a rough seven days. On Tuesday, a cross-site scripting (XSS) security hole that was found and fixed a month ago was reintroduced by mistake through a Twitter site update, and then over the weekend, Twitter was hit by hackers again.
A Twitter post explained the XSS problem this way:,
"Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an 'onMouseOver' flaw -- the exploit occurred when someone moused over a link.
"Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge."
"This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit."
Anyway, as a result, some Twitter accounts went nuts.
According to the LA Times, "White House Press Secretary Robert Gibbs’ Twitter account sent an unintelligible automatic message to his nearly 100,000 followers Tuesday morning ... ", while the London Guardian reported that, ".. Sarah Brown, wife of the former prime minister Gordon Brown, who has 1.1 million followers on the service, was hit by a version which redirected anyone who hovered their mouse over the infected tweet to a Japanese hardcore pornography site."
"A malicious link is making the rounds that will post a tweet to your account when clicked on. Twitter has disabled the link, and is currently resolving the issue.
UPDATE Sun Sep 26 18:41:49 UTC 2010: We've fixed the exploit and are in the process of removing the offending Tweets."
Facebook also had problems last week. On Wednesday, some Facebook users had difficulty accessing their accounts. Facebook blamed the problem on a third party vendor. According to this news report on Mashable:
"We are experiencing an issue with a third party networking provider that is causing problems for some people trying to connect to Facebook," the [Facebook] told Mashable in a statement. "We are in contact with this provider in order to explore what can be done to resolve the issue. In the meantime, we are working on deploying changes to bypass the affected connections."
Then yesterday, Facebook went down for 2.5 hours in what it termed was the worst outage in 4 years. The problem was caused by a change in a Facebook system that checked for verifying configuration values.
Facebook, in a post providing a detailed explanation of the error, said that the change "ended up causing much more damage than it fixed."
Facebook apologized and said, "... we want you to know that we take the performance and reliability of Facebook very seriously."
A blog post by Kashmir Hill at Forbes says the outage looks suspiciously coincidental. Seems that last week Facebook engineers were musing about what would happen if Facebook were to go out for an entire day.
A Facebook engineer responded by saying, "Human sacrifice, dogs and cats living together ... mass hysteria."