Twitter onmouseover flaw causing twitterverse chaos

Twitter has been caught with its pants down exposing itself to a massive security flaw affecting millions of Twitter users.

If you've been seeing random messages like:

http://a.no/@"onmouseover=";$('textarea:first').val(this.innerHTML);$('.status-update-form').submit()" style="color:#000;background:#000;/

appearing in your Twitter Stream its all down to a flaw that allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link.



Thousands of Twitter accounts have posted messages exploiting the flaw, with victims including Sarah Brown, wife of the former British Prime Minister whose Twitter page appears to have been messed with in an attempt to redirect visitors to a hardcore porn site hosted in Japan.

“It seems many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed,” said Graham Cluley, senior technology consultant, Sophos.  

“Some users are also exploiting the loophole to create tweets that contain blocks of colour (known as rainbow tweets). Because these messages can hide their true content, it might prove hard for some users to resist clicking on them. Hopefully Twitter will shut down this loophole as soon as possible – disallowing users to post the onMouseOver JavaScript code.”

No official word as yet as to what Twitter is doing about the flaw and how it plans to fix it. 

Sophos in the meantime suggest avoiding the Twitter website and using a third-party application instead.

UPDATE: Twitter has issued the following on its status page: 

"We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.

We expect the patch to be fully rolled out shortly and will update again when it is.

Update (6:50 PDT, 13:50 UTC): The exploit is fully patched."

UPDATE 2: Twitter has posted further explanation of what happened:

"The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed."  



>