. Twitter decided to notify its users and said in a statement, "... it's our policy to notify users about law enforcement and governmental requests for their information, unless we are prevented by law from doing so.
A "MouseOver" exploit occurred on September 21, 2010, when an
XSS Worm became active on Twitter. When a user held the mouse cursor over blacked-out parts of a tweet, the worm within the script would automatically open links and re-post itself on the reader's account. The exploit was then re-used to post
pop-up ads and links to
pornographic sites. The origin of the worm is unclear, but Pearce H. Delphin (known on Twitter as @zzap) and a Scandinavian developer, Magnus Holm, both claim to have modified a related exploit found by another user (possibly Masato Kinugawa) who was using it to create coloured Tweets. Kinugawa, a Japanese developer, reported the XSS vulnerability to Twitter on August 14. Later, when he found it was exploitable again, he created the account 'RainbowTwtr' and used it to post coloured messages. Delphin says he exposed the security flaw by tweeting a
JavaScript function for "onMouseOver", and Holm later created and posted the XSS Worm that automatically re-tweeted itself. Security firm Sophos reported that the virus was spread by people doing it for "fun and games", but noted it could be exploited by cybercriminals. Twitter issued a statement on their status blog at 13:50 UTC that "The exploit is fully patched." Twitter representative Carolyn Penner said no charges would be pressed.
In May 2011, a
claimant known as "CTB" in the case of
CTB v Twitter Inc. took action against Twitter at the
High Court of Justice of England and Wales, requesting that the company release details of account holders. This followed gossip posted on Twitter about professional footballer
Ryan Giggs's private life. This led to the
2011 British privacy injunctions controversy and the "super-injunction". Tony Wang, the head of Twitter in Europe, said that people who do "bad things" on the site would need to defend themselves under the laws of their own jurisdiction in the event of controversy, and that the site would hand over information about users to the authorities when it was legally required to do so. He also suggested that Twitter would accede to a UK court order to divulge names of users responsible for "illegal activity" on the site.
Twitter acquired Dasient, a startup that offers malware protection for businesses, in January 2012. Twitter announced plans to use Dasient to help remove hateful advertisers on the website. Twitter also offered a feature which would allow tweets to be removed selectively by country, before deleted tweets used to be removed in all countries. The first use of the policy was to block the account of German
neo-Nazi group
Besseres Hannover on October 18, 2012. The policy was used again the following day to remove
anti-Semitic French tweets with the hashtag #unbonjuif ("a good Jew"). In February 2012, a third-party
public-key encryption app (written in
Python and partially funded by a grant from the
Shuttleworth Foundation) for private messaging in Twitter, CrypTweet, was released. A month later Twitter announced it would implement the "Do Not Track" privacy option, a
cookie-blocking feature found in
Mozilla's
Firefox browser. The "
Do Not Track" feature works only on sites that have agreed to the service.