Twitter Fixes ‘Onmouseover’ Flaw

Social networking site Twitter has reacted swiftly after a flaw in its website was exploited to generate pop-up messages and links to porn sites.

Twitter has since fully patched the flaw, which comes just one week after Twitter rolled out a major redesign of its site.

The problem occurred when Twitter users began finding that they only had to place their mouse pointer over a message containing a link for it to open, without clicking. This is referred to as a “onmouseover” issue and it uses a JavaScript command to also generate pop up messages.

The code exploited what is known as a cross-site scripting (XSS) vulnerability. However those people using third-party Twitter software – such as Tweetdeck – were apparently unaffected by the problem.

Sarah Brown Hit

Meanwhile security vendor Sophos has said that users need to be more cautious in the future. It said that thousands of Twitter accounts have posted messages exploiting the flaw, with victims including Sarah Brown, wife of the former British Prime Minister whose Twitter page appears to have been messed with in an attempt to redirect visitors to a hardcore porn site hosted in Japan.

“It seems many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed,” said Graham Cluley, senior technology consultant, Sophos.

“Some users are also exploiting the loophole to create tweets that contain blocks of colour (known as rainbow tweets),” he said. “Because these messages can hide their true content, it might prove hard for some users to resist clicking on them. Hopefully Twitter will shut down this loophole as soon as possible – disallowing users to post the onMouseOver JavaScript code.”

“We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit,” said Twitter on its status update blog.

It later confirmed that the exploit had been fully patched.

Other Problems

This is not the first time Twitter has been hit with security problems.

In January a security researcher uncovered some holes in Twitter that could allow a attacker to steal cookies and user session Ids.

And in December last year Twitter was hacked and its main pages replaced for about an hour, between about 10pm and 11pm Pacific time (6am and 7am GMT) on 17 December 2009.

During that time, Twitter was replaced with a black background page showing a green flag and with a headline that read, in English: “Iranian Cyber Army … This Website Has Been Hacked by Iranian Cyber Army.”