A new Twitter security flaw has been widely exploited on thousands of Twitter accounts, redirecting users to third-party websites without their consent.
The bug is particularly nasty because it works on mouseover only, meaning pop-ups and third-party websites can open even if you just move your mouse over the offending link.
For now, the best course of action is using only third-party apps such as TweetDeck to access Twitter, as the bug only seems to affect Twitterâ€™s web interface.
You can see an example of a tweet that launches a pop-up if you move the mouse over it below.
UPDATE; Twitter Releases Statement On “Patched” Flaw
Return to security news headlines
Article date: Tue, 21 Sep 2010 14:50 GMT
Twitter now says that the XSS attack has now been “identified and patched”.
“We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.”
“We expect the patch to be fully rolled out shortly and will update again when it is.”
Already, Favstar has seen more than 24,000 retweets of one particular implementation of the bug. A quick look at the trending topics this morning shows quite how quickly the exploit has spread, with “Exploit”, “Security Flaw”, “Mouseover”, “Onmouseover” and “XSS” taking up five of the top 10 topics.
Both Mashable and TechCrunch report having seen the exploit used to open pop-up windows, redirect users to porn sites and simply do “funny, rick-rolling type stuff”, but the nature of the exploit appears to be changing quickly as the morning goes on.
Interesting Footnote from David Naylor