BREAKING: Post javascript into your status update on Twitter and you can make something appear in the pop-up as a user mouses over your tweet. This is clearly now causing havoc across the Twittersphere as users either do funny, rick-rollling type stuff, or scammers catch on to the exploit. It looks like many users are currently using the flaw for a joke but cybercrims could redirect users to third-party websites containing malicious code, or for spam advertising pop-ups. [Update: it appears the exploit could also fill and submit a status update form ‘on your behalf’ leading to it spreading to over 40,000 tweets within 10 minutes. Here are our top 5 ways to avoid and fix the onmouseover Twitter bug]
This is only affecting the actual Twitter web site (which has the highest number of Twitter users), not third party apps like Tweetdeck, Seesmic, etc.
As Security experts Sophos put it:
The Twitter website is being widely exploited by users who have stumbled across a flaw which allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link. Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister. It appears that in Sarah Brown’s case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan. That’s obviously bad news for her followers – over one million of them. To Mrs Brown’s credit, she has posted a warning on her Twitter page: “don’t touch the earlier tweet – this twitter feed has something very odd going on ! Sarah”… Some users are also exploiting the loophole to create tweets that contain blocks of colour (known as “rainbow tweets”). Because these messages can hide their true content they might prove hard for some users to resist clicking on them.
This is a developing story, stay tuned for updates.
UPDATE 1: The hack may have originated with the account RainbowTwtr (best not go there just in case) which, when you moused over the tweet, would produce a rainbow. That probably lead others to realise the exploit could be used for other purposes.
UPDATE 2: As we said, third party apps using the Twitter API won’t re-produce the mouseover exploit, so they are safest right now. It also appears that users of the New Twitter interface (mostly in North America) do not have the same problem.
UPDATE 3: According to blogger Espen Antonsen, the worm was kicked off by @judofyr here in order to just set the anchor background color to black “but his next tweet included onmouseover and people could not stop moving the mouse over the tweet resulting in over 40000 tweets within 10 minutes. So Twitter does not encode the URL and whatever is after the @ gets included in the anchor. So css and javascript can be included. Shortly after someone else created a more evil approach”. They sure did.
UPDATE 4: A commenter points out a quick fix below: “Go to mobile.twitter.com and sign in. Then go to mobile.twitter.com and delete the forced retweet. Do this quick so that others don’t get effected. ALSO, don’t forget to change your password just in case.”
UPDATE 4: We’ve now heard the Mobile site may be affected as well. Best avoided.
FINAL UPDATE: Twitter says it is now on the case and fixing the issue.
ONE FOR LUCK: Twitter Patches Security Hole, Introduces Two Cool New Features To #NewTwitter