In association with heise online

21 September 2010, 14:26

OnMouseOver XSS plagues Twitter - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A new wave of Twitter attacks which make use of an XSS vulnerability in Twitter's web client is causing trouble for users of the micro-blogging service. The injected script code is able to read the user's Twitter cookie and authentication data. First assessments indicate that the vulnerability can be used to create a worm that spreads automatically.

Demonstration code that is currently circulating shows a window displaying information about the user's current session when the mouse pointer is moved over a displayed link. Users wishing to protect themselves should either disable JavaScript or install an extension such as NoScript to selectively block JavaScript on a per site basis.

The XSS vulnerability is also being exploited to inject blacked-out areas on pages, to hide the manipulated links. These appear in the user's view of their Twitter timeline and run a script when the user moves their mouse over the blacked out areas. The payload script posts code into the user's status, sends it on to their followers and may also redirect the user to a dubious site, as observed by Sophos in their blog.

Users of Twitter desktop and mobile clients are unaffected by the flaw, which relies on users being logged in to the Twitter service for the "tweets" to be rendered in a web page. Apparently, users of the recently unveiled "new Twitter" web front end are also unaffected.

Update - In a posting on the company's status blog, Twitter have announced that the vulnerability is now "fully patched".


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit