Updates at bottom of post – Twitter’s official response
There is apparently a security flaw in the Twitter code that is allowing users to have third-party websites open in your browser, and all you have to do is mouse over a link for it to happen.
The flaw, as reported by Internet security company Sophos, appears to be somewhat innocuous for now but holds some pretty nasty potential as it could allow Twitter users to be redirected to other sites that contain less-than-honorable code.
While that threat certainly appears, another one has reared its ugly head as well. The newest variation of the code attempts, on mouseover, to have you continue to spread it via your Twitter status update.
The code, which could also be used to display multi-colored “rainbow tweets” or even a blank page, produces an effect like this:
We’ve contacted Twitter, as well as a security expert and we’re waiting for any further information. For now, it is worth noting that you should avoid clicking or mousing over any link that has the “onmouseover” command, or any link that is disguised by colors.
Of course, it is also advisable that you use a third-party Twitter client such as TweetDeck or Seesmic, in the mean time. The clients are not succeptable to the “onmouseover” events, and should prove to be a safe solution. If you happen to be one of the lucky New Twitter users, you should also be safe (thanks @Boris).
Another workaround is to head to the mobile version of the Twitter site at http://mobile.twitter.com as the links do not appear to be functional via that version. You should be able to safely browse Twitter, and also delete any inadvertent tweets from your account via the mobile interface, according to CenterNetworks.
Update: According to some users, the latest chunk of code not only attempts to hijack your stream, but also apparently is hijacking the account as a whole, even if you haven’t moused over a link. One users has noted the following:
We’ve also gotten a better explanation of how the attack is happening, again via Sam from TwitterCounter:
Georg Wicherski from Kaspersky Labs adds to Sam’s explanation:
Update 3 (14:24 CEST): Worm code for this vulnerability has been posted on IRC, making the rounds.
Update 4 (14:36 CEST): Worm is live already…
Update 5 (14:59 CEST): It appears Twitter now properly escapes links, that specific vulnerability seems closed.
We’ve just heard from @cpen at Twitter, and she points us to the Twitter Status blog which states that the XSS vulnerability is now being patched.
10:30 AM PDT – Twitter has put a statement on the Twitter Blog that describes the incident, as well as its response.