Twitter patches XSS flaw – former Prime Minister's wife amongst many hit by onmousover problem

The initial reports of the cross-site scripting (XSS) flaw suggested that hackers had realised that Twitter users only needed to move their mouse over a message containing a link to trigger their web browser opening.

However, it now appears that hackers started creating websites that auto-pushed the malware as soon as the web browser opened, using extensible code from the Twitter message, Infosecurity understands.

Large numbers of Twitter users have been caught out by the flaw in the last few days, including Sarah Brown, the wife of Gordon Brown, the UK's former Prime Minister.

Twitter patched the flaw yesterday and an apology was posted by Bob Lord, the company's security chief, who noted that users may still see strange retweets in their timelines caused by the exploit.

"However, we are not aware of any issues related to it that would cause harm to computers or their accounts", he said.

Commenting on the flaw, Amichai Shulman, Imperva's chief technology officer, said that XSS is one of the oldest tricks in the book.

The attack, he says, shows how hackers take an old school attack and transform it into something that is modern and sophisticated.

"The lesson here is that Web 2.0 once again proves it can be a security nightmare", he said, adding that this shows how consumers need to rely on vendors like Twitter to install 'seat belts' in their products.

"Although Twitter has made steps to improve their security, this incident shows that they still have a ways to go", he said.

Don Leatham, senior director of solutions and strategy with Lumension, meanwhile, said that, with 75 million users, it is hardly any wonder that Twitter has become a test case for a new type of attack.

"What is particularly worrying about this new threat is that computers fall victim to the infection as a result of a simple cursor movement without the user having to click a thing", he said.

According to Leatham, the industry simply can't just rely on spotting malicious activity and then reactively try to stop it from affecting internet users.

The industry, he added, needs to take proactive steps to ensure that regardless of what is happening on the web, corporate environments are trusted and safe.

Over at Sunbelt Software, Chris Boyd, the firm's senior threat researcher noted that, whilst most examples of the onmouseover security flaw seem to be people playing around with code without specific malicious aim, there have been numerous cases of site redirects, as well as profile corruption and various other side effects.

What’s Hot on Infosecurity Magazine?