Unlucky users (many thousands of them, apparently — including Sarah Brown, wife of former British Prime Minister Gordon Brown; the staffer who runs the White House Twitter feed; and yours truly) who clicked or even hovered over the links with their cursors were hit with a variety of nasty surprises, ranging from random text pop-ups to auto-spawning browser windows that zipped over to hardcore porn sites.
In some cases (such as mine), users even found themselves unwittingly retweeting the malicious code and getting locked out of Twitter home page.
Graham Cluley of security firm Sophos spotted the flaw early Tuesday, which briefly turned Sarah Brown’s Twitter page into a portal for some rather, uh, unsavory content. ("Don’t touch the earlier tweet — this Twitter feed has something very odd going on," Brown tweeted shortly after discovering that her account had been compromised.)
The flaw didn’t affect those using third-party Twitter clients like TweetDeck and Seesmic — just Twitter.com itself.
The good news is that even if you were the victim of the auto-retweet attack, it doesn’t appear that the your Twitter username or password were compromised — although it might be a good idea to go ahead and change your password once the dust clears.
Shortly before 10 a.m. ET Tuesday, an update on the official Twitter status blog read that site engineers had "identified and are patching a XXS" — short for "cross-site scripting" — "attack." A few minutes later, an update to the post read that the update had been "fully patched."
So, anyone get hit by the "onmouseover" Twitter flaw this morning?
No comments:
Post a Comment