A serious security flaw was apparently found on Twitter on Tuesday but was quickly fixed. Hackers had exploited a flaw in Twitter, which results in pop-ups and third-party websites being opened despite users simply hovering over links with their mouse.
Hundreds of Twitter users, including Sarah Brown – wife of the former Labour Prime Minister Gordon Brown – have fallen victim to the attack. In some cases the third-party websites that are open are pornographic.
The problem was a cross-site scripting flaw, wrote Georg Wicherski of Kaspersky Lab on the company’s blog.
Related Story: Rogue ‘sexiest video ever’ app pummels Facebook users’ PCs
Cross-site scripting is an attack in which a script drawn from another Web site is allowed to run that shouldn’t, which can be used to steal information or potentially cause other malicious code to run.
Wicherski wrote that it appeared a user only needed to hover over a malicious link in order to trigger the flaw, but another test showed that no user interaction was required.
Graham Cluely from security firm Sophos said in a blog that at present the flaw is being exploited for “fun and games” although “there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed”.
By around 9:45 a.m. Eastern time, Twitter had acknowledged the attack and begun working on the fix for its breakfast-chronicling, celebrity-stalking, microblogging network. The company reports that the patch to fix the vulnerability is rolling out across its servers.
“We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit,” the company wrote on Tuesday afternoon.
Cluley advised Twitter users to avoid using the Twitter website and instead rely on a third-party client such as Tweetdeck to access the service.
At around 2:50pm this afternoon (GMT), Twitter’s @Safety feed posted the following message, suggesting that the problem was solved.
Code for the attack was posted on the IRC instant messaging service, Wicherski wrote. Other people who noticed the issue posted several harmless proof-of-concept demonstrations, wrote Paul Mutton of Netcraft. The flaw could have allowed something as benign as a pop-up message when mousing over a tweet, as shown on Netcraft’s blog.
But Mutton wrote that one user demonstrated more serious possibilities such as stealing cookies. Cookies are small pieces of data stored in a Web browser that are used for tracking users and remembering if a user wants to stay logged in to a Web site.
Audits of Web sites have shown that cross-site scripting flaws are among the most common Web application vulnerabilities.
IBM’s annual X-Force Trend and Risk Report found earlier this year that cross-site scripting attacks overtook SQL injection as the number-one type of Web application vulnerability. SQL injection attacks occur when commands are inputted into Web-based forms, which can cause back-end databases to reveal data if those databases are not configured properly.
Another survey by WhiteHat Security, a company that specializes in finding Web application vulnerabilities, found there’s a 66 percent chance a website will have a cross-site scripting problem.
With notes from Lex Friedman and Carrie-Ann Skinner