Warning: Twitter Security Flaw - UPDATED

BlogHer Original Post

Warnings are hitting the news that a JavaScript security flaw is being exploited on Twitter. This affects the browser based site at twitter.com, but not freestanding Twitter apps such as TweetDeck or Seismic.


Experts are saying users should stay away from twitter.com until the problem is fixed. At this time (early morning) there has been no word from Twitter. I expect something to show up on the Twitter blog at some point that will explain what they are doing (or did) to stop the problem.

The problem is that certain links have some JavaScript attached that functions when the user mouses over the link, even without clicking. At Mashable, in Twitter Mouseover Security Flaw Affecting Thousands of Users [WARNING], it's described like this.

A new Twitter security flaw has been widely exploited on thousands of Twitter accounts, redirecting users to third-party websites without their consent.

The bug is particularly nasty because it works on mouseover only, meaning pop-ups and third-party websites can open even if you just move your mouse over the offending link.

The security flaw caught many people by surprise, including Sarah Brown, the wife of the former British Prime Minister, according to Graham Cluley's Blog in Twitter 'onmouseover' security flaw widely exploited.

It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed.

Perhaps because of Mrs. Brown's name being attached to the issue, the European version of TechCrunch is posting frequent updates to its story about the security flaw. One of their updates says,

As we said, third party apps using the Twitter API won’t re-produce the mouseover exploit, so they are safest right now. It also appears that users of the New Twitter interface (mostly in North America) do not have the same problem.


I've been visiting twitter.com more than usual lately, waiting to get a look at the new Twitter, and working to get a Twitter list of the women in web education going. Until we hear that this security flaw has been fixed, I intend to stay away from twitter.com. I suggest you do too.

UPDATED: According to @safety, this problem has been fixed by Twitter.

The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.Tue Sep 21 13:52:40 via web

Virginia DeBolt
Web Teacher | First 50 Words

Photo Credit: Abigail Silvester


In order to comment on BlogHer.com, you'll need to be logged in. You'll be given the option to log in or create an account when you publish your comment. If you do not log in or create an account, your comment will not be displayed.