News & Reviews WP Technology Faster Forward: Twitter users hit with 'mouse over' hackTech Search
Faster Forward: Twitter users hit with 'mouse over' hack
If you were on Twitter's site earlier this morning and saw weird stretches of blacked-out text in other people's updates, I hope you didn't send the cursor over them. But if you fell for this hack and had your Twitter account temporarily hijacke... d, I understand; I probably would have done the same thing myself.
This attack raced through the popular update-sharing service. As Sophos researcher Graham Cluly explained in a blog post, it lured users to "mouse over" snippets of Web code that had been blacked out, then exploited a flaw in the older version of Twitter's site (not the new one launched with a flurry of hype a week ago) to send out a new copy of itself under victims' accounts and sent visitors to some sketchy Japanese porn site.
Because the attack's bait looked so innocuous -- it's not uncommon for Twitter users to play around with funny embedded graphics in their otherwise text-only updates -- many people fell for them. Around Washington, the best known may have been White House press secretary Robert Gibbs; the crestfallen update he sent right after getting suckered appears in the image at right. (Poor guy.)
Twitter quickly posted warnings on its status blog and its "@Safety" Twitter account. About an hour later, it had fixed its old site to close the vulnerability.
Users of the redesigned version of Twitter were not affected, nor were those using mobile versions of the site or such separate applications as TweetDeck or Twitterfall. But because this attack -- in technical terms, a "cross-site scripting" -- took advantage of nothing more complicated than a Web browser's support for JavaScript coding, pretty much everybody else was vulnerable.
Twitter users have reported that they got hit in both Windows and Mac OS X while using the latest versions of generally more secure browsers such as Mozilla Firefox and Google's Chrome. (Weirdly enough, others have told me they weren't affected while running similar software configurations.) An anti-virus program would not have helped, as the attack didn't involve running a separate program.
We're only going to see more of this nonsense as our applications increasingly take the form of Web sites. Web users need to retain a healthy level of suspicion online, and browser developers need to stay on top of these threats. But it's even more important for Web developers to spot and stomp these flaws as soon as they can.
| < Prev | Next > |
|---|