Today a Twitter user who goes by the name “Bon” utilized a flaw in Twitter’s code to post messages on other accounts (through the Twitter API).

Bon’s exposure of the bug posted this message on hundreds of Twitter accounts:

Looking at Bon’s Twitter page - http://twitter.com/x

Innocent enough, however the fear of hacking was in the air. Soon after the initial run of posts, Bon (who’s page appears to be victimized by the flaw as well) posted this message:

Hello everyone. Twitter has not been hacked. It has merely been taken advantage of. This is my little experiment. Everything is safe. Go back to bed.

The messages continued however and there was no certainty as to whether private information (passwords) had been accessed. Drew McClellan set aside those fears and posted this:

looked at Bon’s page with curl He’s using a CSS url hack to post with the API. It uses the fact that your browser is logged in. Account not compromised

As of right now Twitter appears to be back to normal. Twitterers are twittering that they’re sending emails in, so this issue should be resolved shortly.

In the meantime, this begs the question - how much customization is too much? At what point do we need to worry about compromising a user’s security? Of course, major sites like MySpace face this problem on a daily basis - in fact we reported on a similar issue at Google a few weeks ago. The web 2.0 space demands customization - however there are obvious drawbacks. It will be occurrences like these that help to define the line between security and creativity.

Update: Jack from Twitter responds in the comments below, noting that Bon did in fact alert Twitter about the bug. It is now patched!