Twitter patches flaw that ran rampant

JavaScript "onmouseover" command exploit hits thousands of users before Twitter gets patch in place. Attention now turns to those who may have created exploits.

Sophos has found that Twitter profiles are vulnerable to a 'mouseover' hack, something that many users are already exploiting. Sophos screengrab of Twitter

Security firm Sophos posted a blog entry early Tuesday highlighting a new and potentially dangerous hack of Twitter's Web interface that's begun to make the rounds. It affects only Twitter.com, not third-party clients.

Here's how it works, basically: By putting a bit of JavaScript code ("onmouseover") into a URL in a tweet, a user can cause a pop-up message to emerge when someone hovers a cursor over that link. Sophos notes that right now primary exploiters of the loophole are using it for "fun and games," but that it could potentially be used by spammers or purveyors of malicious code. It appears to work in both the redesigned Twitter Web interface that was launched last week as well as its predecessor.

"Mouseover" hacks are not particularly complicated, and have been implemented in vulnerable e-mail clients for years.

Sophos noted that many Twitter users are playing around with it but that the company hasn't put out an official reaction. Representatives from Twitter were not immediately available for comment.

Update 5:38 a.m. PDT: Sophos notes that the exploit is spreading rapidly and that it's now being used to redirect to some hardcore porn sites.

Update 5:51 a.m. PDT: The security hole is now being used to "auto-tweet" more mouseover links, and thousands of Twitter users are falling prey to it. For the time being, using a third-party Twitter client may be the safest option.

Update 6:49 a.m. PDT: Twitter has released a basic acknowledgment of the flaw and says that it's working to correct it. "We've identified and are patching a XSS attack; as always, please message @safety (Twitter's official security account) if you have info regarding such an exploit," the company wrote in a tweet.

CNET has opted to not link to the tweet in question yet because it redirects to the Twitter.com domain, which may still pose issues.

Update 6:52 a.m. PDT: Twitter's status blog says, "We expect the patch to be fully rolled out shortly and will update again when it is."

Update 7:08 a.m. PDT: The status blog post has been updated to say the Twitter flaw has been "fully patched."

Update 8:57 a.m. PDT: After a large number of Twitter users pointed to the name "matsta" in connection to the security hole, the account @matsta has been suspended and a person claiming to be the owner of the account has contacted CNET to claim responsibility for discovering the hole and creating the exploit.

Update 9:27 a.m. PDT: More people behind the flaw exploitation are coming out of the woodwork: Netcraft pointed to an Australian teenager who goes by @zzap as having discovered the exploit; another developer named Magnus Holm (@judofyr) says he was the first to create a proliferating worm with the XSS flaw; and the U.K. publication The Guardian tracked down a Japanese programmer who flagged the potential for an exploit last month.

Meanwhile, the Twitter news account for start-up incubator Y Combinator pointed to activity on coding community GitHub on behalf of two Twitter employees last month that brings up "onmouseover," suggesting that they were aware of the flaw.

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Up for a challenge?

Put yourself to the real tech test by building your own virtual-reality headset with a few household items.