UPDATE: Serious Twitter bug turns service into a mess

A quick PSA for all you Twitter users out there - there's a bug making the rounds that allows JavaScript to be executed with a simple mouseover.

[UPDATE: All fixed now ... ]

A quick PSA for all you Twitter users out there - there's a bug making the rounds that allows JavaScript to be executed with a simple mouseover.

This vulnerability can be used for all sorts of nefarious activities - from loading NSFW websites, to changing statuses, to retweeting status updates containing the vulnerability. Most malware-ladened tweets are hidden behind text that looks redacted (black blocks) to hide the script).

The vulnerability only affects users accessing the service via the main Twitter.com websites. Mobile Twitter site (mobile.twitter.com) is unaffected, as are third-party clients such as TweetDeck.

Alternatively, you can:

  • Stay off Twitter
  • Use the Mobile site - http://mobile.twitter.com
  • Log-out (which prevents retweeting, but doesn't prevent execution of code in the first place, so watch out)
  • Disable JavaScript in the browser

Given what I'm seeing out there on Twitter right now, if this was a zombie movie, a lot of people have already been bitten - including quite a few who should know better ... ;) ... and remember, if you've been bitten and I haven't, I know what to do, I've seen "Night of the Livng Dead" at least a dozen times ;)

Stay safe!

[UPDATE; Getting reports in that you don't actually have to mouse over affected links ... perhaps someone is leveraging an alternative command to "onmouseover"?]

[UPDATE 2: New improved exploit means that you trigger the exploit no matter where you mouseover on the page ... so just loading the page is enough.]

[UPDATE 3: Watching how fast this Twitter bug spread, it's a lucky think that it wasn't put to more nefarious uses ... if someone had set out with the idea of using this to launch a serious malware campaign, the fall out would be much worse.]

[UPDATE 4: It's time for Twitter to set better controls on what makes it through into the stream ... the ability to post raw JavaScript turns every tweet into an untrusted site.]

[UPDATE 5: Twitter now acknowledges flaw: "We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit."

[UPDATE 6: And the vulnerability has been patched.]

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All