Hot on HuffPost Tech:

See More Stories
Engadget for the iPhone: download the app now
AOL Tech

Twitter onMouseOver flaw poses huge risk to users, is being actively exploited

Sophos Labs' Graham Cluely posted this morning about a nasty little Twitter security flaw that is being actively exploited. Twitter apparently doesn't block onMouseOver JavaScript code, which (you guessed it!) kicks in when your mouse pointer passes over a specially crafted link.

What happens next is up to the creator. It could be something harmless like the alert box you see above, or it could just as easily be a rogue antivirus pop-up or some nasty porn site. Again, you don't need to click -- you simply have to mouse over a link. As Cluely points out, all Twitter really needs to do is block the OnMouseOver text from being displayed.

TweetDeck reminds users that this exploit doesn't affect third-party clients. Unless you're using twitter.com, you should be totally safe.

At this point, probably 70% of the users I question about how they got an infection are telling me that they were fine until they clicked something from a friend on Facebook or Twitter. I'm starting to think those two sites are going to play cat-and-mouse with Adobe Reader and the Flash Player plug-in for the "who can cause the most malware infections" crown.

update: Twitter responded in a hurry, and the exploit has already been patched.

Tags: exploit, flaw, hole, link, malware, security, twitter

Comments

2