UPDATED: Twitter Security Flaw Today – OnMouseOver

A new security flaw has been discovered on Twitter today. It is easy to reproduce, to exploit, to play with. It can cause a user’s account to take actions that the exploiter puts into a specially-crafted tweet, without the user realizing it. For example, causing the Twitter user to be redirected to a different website, any website of the exploiter’s choosing. [UPDATE #2]

The bug only appears to affect the twitter.com website, not third-party apps such as CoTweet, TweetDeck, etc. Therefore, until Twitter fixes this flaw, you might want to avoid the twitter.com website and only use third-party apps to access your Twitter stream.

The bug has to do with the Javascript OnMouseOver parameter. Inserting an OnMouseOver statement into a tweet, using the correct syntax, allows the tweeter to program an action to take place when any other user moves their mouse over the tweet. The user doesn’t need to click on the tweet, they just have to move their mouse over the link in the tweet to have the preprogrammed action executed (and be redirected to another site, or have something else done).

There doesn’t appear to be any word from Twitter yet on their official blog or on their @safety account about this situation or a time estimate on its repair. So be careful until this is fixed.

UPDATE #1: The Twitter @safety account just retweeted the following tweet from the head of Twitter’s Trust and Safety team: “The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.” So hopefully, this bug should now be fixed.

UPDATE #2: Twitter has posted a blog entry about this incident.

Here are other articles about this issue on Mashable and on TechCrunch.

Spread the word

Author: Doug Braun

Doug has written 7 articles.