Portfolio A Belief In Design
And A Love Of Photography

Twitter Mouseover Security Flaw Affecting Thousands of Users [WARNING]

who broke twitter?A new Twitter security flaw has been widely exploited on thousands of Twitter accounts, redirecting users to third-party websites without their consent.
The bug is particularly nasty because it works on mouseover only, meaning pop-ups and third-party websites can open even if you just move your mouse over the offending link.

The flaw uses Javascript function called onMouseOver which creates an event when the mouse is passed over a chunk of text. We’ve seen the flaw being abused to launch simple pop-up windows, redirect users elsewhere, and we’ve also seen it used in combination with blocks of color, covering the true “intention” of the tweet.

For now, the best course of action is using only third-party apps such as TweetDeck to access Twitter, as the bug only seems to affect Twitter’s web interface.

You can see an example of a tweet that launches a pop-up if you move the mouse over it below.


UPDATE; Twitter Releases Statement On “Patched” Flaw

Return to security news headlines
Article date: Tue, 21 Sep 2010 14:50 GMT

Twitter now says that the XSS attack has now been “identified and patched”.
“We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.”

“We expect the patch to be fully rolled out shortly and will update again when it is.”
Already, Favstar has seen more than 24,000 retweets of one particular implementation of the bug. A quick look at the trending topics this morning shows quite how quickly the exploit has spread, with “Exploit”, “Security Flaw”, “Mouseover”, “Onmouseover” and “XSS” taking up five of the top 10 topics.
Both Mashable and TechCrunch report having seen the exploit used to open pop-up windows, redirect users to porn sites and simply do “funny, rick-rolling type stuff”, but the nature of the exploit appears to be changing quickly as the morning goes on.

Goerg Wicherski, a Kaspersky Lab Expert writing on the exploit warns that users should turn off Javascript for Twitter. “It is possible to load secondary Javascript from and external URL with no user interaction, which makes this definitely wormable and dangerous,” he writes. Twitter user Judofyr noted earlier this morning that there appeared to be an “ugly XSS hole in Twitter right now” and now says that, as far as he knows, he “started the first worm” but can’t say for sure. For now, the best bet with the website (although the new Twitter.com doesn’t appear affected) is to avoid it until further notice. However, if you can’t hold on any longer third party clients say they are standing up against the attack and are the safe route to take along the bumpy ‘flaw’.

Interesting Footnote from David Naylor