Beware of Twitter: Security Flaw Spreading
Last Updated: Sept. 21, 10:04 AM ET
Sophos has found that Twitter profiles are vulnerable to a 'mouseover' hack, something that many users are already exploiting.
/ Sophos screengrab of TwitterSecurity firm Sophos posted a blog entry early Tuesday highlighting a new and potentially dangerous hack of Twitter's Web interface that's begun to make the rounds. It affects only Twitter.com, not third-party clients.
Here's how it works, basically: By putting a bit of JavaScript code ("onmouseover") into a URL in a tweet, a user can cause a pop-up message to emerge when someone hovers a cursor over that link. Sophos notes that right now primary exploiters of the loophole are using it for "fun and games," but that it could potentially be used by spammers or purveyors of malicious code. It appears to work in both the redesigned Twitter Web interface that was launched last week as well as its predecessor.
"Mouseover" hacks are not particularly complicated, and have been
Who sent that e-mail message? Where is the link in the message really taking you?
for years.Defending against a phishing e-mail message
Sophos noted that many Twitter users are playing around with it but that the company hasn't put out an official reaction. Representatives from Twitter were not immediately available for comment.
UPDATE (8:38 a.m. ET): Sophos notes that the exploit is spreading rapidly and that it's now being used to redirect to some hardcore porn sites.
UPDATE (8:51 a.m. ET): The security hole is now being used to "auto-tweet" more mouseover links, and thousands of Twitter users are falling prey to it. For the time being, using a third-party Twitter client may be the safest option.
SS attack identified and patched. 26 seconds ago
UPDATE (9:51 a.m. ET): Twitter says it has identified and is patching the exploit. "We expect the patch to be fully rolled out shortly and will update again when it is," Twitter said on its blog.
UPDATE (10:04 a.m. ET): Twitter says the exploit has been fully patched.
Popular in SciTech
- Weird pirate ant comes with an "eye patch"
- Amazon proposes a colossal biospherelike Seattle campus
- Watch: NASA captures Okla. tornado from space Play Video
- The 7 weirdest things made by 3D printing
- Xbox One Press Conference
- Microsoft announces Xbox One
- NASA funds 3D pizza printer
- Microsoft announces Xbox One 16 Photos
2 Comments Add a Comment
- linkicon reporticon emailicon
- This article fails to explain anything. Is this something that can only happen if one goes to an unscrupulous Twitter page? Is this redirect something that happens merely by doing a mouse-over of a tainted link or does it require user to click on the tainted hyperlink? Is this 'infection' something that can infect MY TWITTER PAGE or something that only deliberately infects an unscrupulous Twitter page because that page creator has unscrupulously inserted the mouse-over redirect code into their own page via a mouse-over hyperlink code? How can an article like this get posted when it is so barren of critical facts?
- reply
- linkicon reporticon emailicon
- This article fails to explain anything. Is this something that can only happen if one goes to an unscrupulous Twitter page? Is this redirect something that happens merely by doing a mouse-over of a tainted link or does it require user to click on the tainted hyperlink? Is this 'infection' something that can infect MY TWITTER PAGE or something that only deliberately infects an unscrupulous Twitter page because that page creator has unscrupulously inserted the mouse-over redirect code into their own page via a mouse-over hyperlink code? How can an article like this get posted when it is so barren of critical facts?
- reply
