Twitter onmouseover flaw causing twitterverse chaos
Twitter has been caught with its pants down exposing itself to a massive security flaw affecting millions of Twitter users.
If you've been seeing random messages like:
appearing in your Twitter Stream its all down to a flaw that allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link.
Thousands of Twitter accounts have posted messages exploiting the flaw, with victims including Sarah Brown, wife of the former British Prime Minister whose Twitter page appears to have been messed with in an attempt to redirect visitors to a hardcore porn site hosted in Japan.
“It seems many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed,” said Graham Cluley, senior technology consultant, Sophos.
No official word as yet as to what Twitter is doing about the flaw and how it plans to fix it.
Sophos in the meantime suggest avoiding the Twitter website and using a third-party application instead.
UPDATE: Twitter has issued the following on its status page:
"We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.
We expect the patch to be fully rolled out shortly and will update again when it is.
Update (6:50 PDT, 13:50 UTC): The exploit is fully patched."
UPDATE 2: Twitter has posted further explanation of what happened:
"The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed."