Twitter patches JavaScript hack

The cross-site scripting attack, which caught out thousands of users including Sarah Brown and White House press secretary Robert Gibbs, was patched hours after it first appeared
Written by Tom Espiner, Contributor

Twitter has patched a hack which directed users to third-party sites, including adult websites.

The company's status feed identified the hack as a cross-site scripting (XSS) attack, and said Twitter had fully patched the hack on Tuesday afternoon, hours after it appeared.

"We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," said the status feed. "We expect the patch to be fully rolled out shortly and will update again when it is. Update (6:50 PDT, 13:50 UTC): The exploit is fully patched."

The Twitter service was widely exploited to launch pop-ups and browser windows, according to security firm Sophos. The hack exploited a JavaScript command called 'onmouseover' to launch pop-ups and browser windows to third party sites, Sophos senior technology consultant Graham Cluley told ZDNet UK on Tuesday.

"The exploit waits for a mouse to roll over a tweet, then it tries to run code which opens a browser or displays a pop-up," said Cluley. "There are so many messages up there." Thousands of Twitter accounts posted messages containing the flaw, he added.

Sophos is in the process of trying to check out whether any of the websites that were opened hosted malicious code, but it appeared that most of the exploits were not malicious, said Cluley.

High-profile users whose pages had posts with the exploit included Sarah Brown, the wife of former prime minister Gordon Brown. A tweet on her page redirected people to a Japanese hardcore pornography site, according to a Sophos blog post on Tuesday. Another was Robert Gibbs, the White House press secretary, Cluley told ZDNet UK.

Twitter has suffered from a number of exploits, including an XSS worm attack in April 2009. That worm, written by a 17-year-old Michael Mooney, infected users when they clicked on a link.

Twitter hit by JavaScript hack image

Twitter has patched the cross-scripting attack that exploited a JavaScript command. Screenshot: @Wiggysan

Editorial standards