Major Twitter Security Flaw Exploits Mouseovers (Update: Twitter Reports Patched)
Update3: Twitter reports that the XSS vulnerability has been patched.
Update: It’s worse now: Reports are surfacing that code can be activated without even a mouseover, so avoid Twitter.com entirely for the time being.
Web security firm Sophos reports:
It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed.
Some users are also seemingly deliberately exploiting the loophole to create tweets that contain blocks of colour (known as “rainbow tweets”). Because these messages can hide their true content they might prove too hard for some users to resist clicking on them.
Update: More background on the flaw: Apparently, it was discovered by an Australian teenager going by the handle “zzap.”
Netcraft informs us that it took less than two hours for hackers to discover and implement the flaw on a wide scale, and that one of its first uses was (what else) people mouseover Rickrolling each other:
Also, as more technical details about the hack emerge, it appears that Twitter’s t.co URL shortener is partly to blame. t.co renders the HTML for URLs that follow; TNW reports that hackers have discovered that they can abuse t.co by closing the href attribute early.
Third-party Twitter clients like Tweetdeck are unaffected by the onMouseOver flaw, however, so at present, they’re the safest way to navigate Twitter until the company fixes the bug.