K97.5 Featured Video
CLOSE

Update: Twitter announced on its Status blog that it identified attack and the patch should be rolling out soon. From the post: “We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit. We expect the patch to be fully rolled out shortly and will update again when it is.”

The bug is particularly nasty because it works on mouseover only, meaning pop-ups and third-party websites can open even if you just move your mouse over the offending link.

The flaw uses a JavaScript function called onMouseOver which creates an event when the mouse is passed over a chunk of text. We’ve seen the flaw being abused to launch simple pop-up windows, redirect users elsewhere (including porn sites), and we’ve also seen it used in combination with blocks of color, covering the true “intention” of the tweet.

For now, the best course of action is using only third-party apps such as TweetDeck to access Twitter, as the bug only seems to affect Twitter’s web interface. Also, if your Twitter account contains a message abusing the flaw, you can delete it using a third-party app.

Twitter hasn’t yet commented on the incident on any of its official accounts or its official blog. We’ve contacted Twitter about the security flaw but haven’t yet heard from them.

Source: