Warning: Mouseover tweets security flaw is wreaking havoc on Twitter [Updated]

Next Story

What do you want in the next iPhone?

BREAKING: Post javascript into your status update on Twitter and you can make something appear in the pop-up as a user mouses over your tweet. This is clearly now causing havoc across the Twittersphere as users either do funny, rick-rollling type stuff, or scammers catch on to the exploit. It looks like many users are currently using the flaw for a joke but cybercrims could redirect users to third-party websites containing malicious code, or for spam advertising pop-ups. [Update: it appears the exploit could also fill and submit a status update form ‘on your behalf’ leading to it spreading to over 40,000 tweets within 10 minutes. Here are our top 5 ways to avoid and fix the onmouseover Twitter bug]

This is only affecting the actual Twitter web site (which has the highest number of Twitter users), not third party apps like Tweetdeck, Seesmic, etc.

As Security experts Sophos put it:

The Twitter website is being widely exploited by users who have stumbled across a flaw which allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link. Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister. It appears that in Sarah Brown’s case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan. That’s obviously bad news for her followers – over one million of them. To Mrs Brown’s credit, she has posted a warning on her Twitter page: “don’t touch the earlier tweet – this twitter feed has something very odd going on ! Sarah”… Some users are also exploiting the loophole to create tweets that contain blocks of colour (known as “rainbow tweets”). Because these messages can hide their true content they might prove hard for some users to resist clicking on them.

This is a developing story, stay tuned for updates.

UPDATE 1: The hack may have originated with the account RainbowTwtr (best not go there just in case) which, when you moused over the tweet, would produce a rainbow. That probably lead others to realise the exploit could be used for other purposes.

UPDATE 2: As we said, third party apps using the Twitter API won’t re-produce the mouseover exploit, so they are safest right now. It also appears that users of the New Twitter interface (mostly in North America) do not have the same problem.

UPDATE 3: According to blogger Espen Antonsen, the worm was kicked off by @judofyr here in order to just set the anchor background color to black “but his next tweet included onmouseover and people could not stop moving the mouse over the tweet resulting in over 40000 tweets within 10 minutes. So Twitter does not encode the URL and whatever is after the @ gets included in the anchor. So css and javascript can be included. Shortly after someone else created a more evil approach”. They sure did.

UPDATE 4: A commenter points out a quick fix below: “Go to mobile.twitter.com and sign in. Then go to mobile.twitter.com and delete the forced retweet. Do this quick so that others don’t get effected. ALSO, don’t forget to change your password just in case.”

UPDATE 4: We’ve now heard the Mobile site may be affected as well. Best avoided.

FINAL UPDATE: Twitter says it is now on the case and fixing the issue.

ONE FOR LUCK: Twitter Patches Security Hole, Introduces Two Cool New Features To #NewTwitter

  • KodeKaran

    Twitter might want to validate for Javascript and html :S

  • http://puck.in/2010/09/twitter-weird-and-massive-error/ Twitter weird and massive error | Puck's Blog

    […] 2: Here’s an update on TechCrunch about it. window.fbAsyncInit = function() { FB.init({appId: […]

  • JP

    And I think it started w/ @RainbowTwtr

  • http://smackdown.blogsblogsblogs.com Michael VanDeMar

    If Twitter cared at all about it’s users it would simply close the web version for maintenance until they had this fixed. To not do so means exposing a huge number of people to viruses and other malicious behavior.

    It’s not like people aren’t used to Twitter being down.

  • Silvano

    About time…

  • http://techtoom.com vikash

    a small bug i guess they have fixed it now


    • Silvano

      Still working for me.

  • http://www.yosefsolomon.com Yosef Solomon

    Yeah, I just noticed this… I thought it was just a huge takeover ad lol

  • http://almud.auner.net glamgeekgirl

    http://mobile.twitter.com/ works just fine. No sweat, and I wouldn’t expect Twitter to shut down their main site. Or does Microsoft shut down Windows for its security holes? ;-)

    I hope this gets fixed soon though…

    • Silvano

      Apples to oranges, really.

  • Silvano

    People need to learn the beautiful feature called “DELETE THIS TWIT”

  • http://millwoodonline.co.uk/ Tim Millwood

    I have blogged about this too.


  • http://twitter.com/Espen_Antonsen Espen Antonsen

    It was started by Judofyr, a Norwegian Ruby developer. More info: http://blog.inspired.no/xss-vulnerability-on-twitter-com-760

  • http://www.muchosmedia.com Stefan Richter

    Does this make Flash and AIR more secure than HTML and JS then?


  • mulhuzz

    Anyone affected should clear cache etc and then change pw by directly visiting twitter.com/settings/account (thus bypassing timeline) and you should be good to go.

  • http://mydigitaldesk.wordpress.com/2010/09/21/warning-mouseover-tweets-security-flaw-is-wreaking-havoc-on-twitter/ Warning: Mouseover tweets security flaw is wreaking havoc on Twitter « My Digital Desk

    […] Warning: Mouseover tweets security flaw is wreaking havoc on Twitter Amplify’d from eu.techcrunch.com […]

  • wesley

    How dumb are those developers? escaping output (in this case the URL) is security 101… And they’ve had these kinds of xss holes before.

  • http://gonzoradio.net/2010/09/twitter-mouseover-exploit/ gonzoradio.net » Twitter Mouseover Exploit

    […] http://eu.techcrunch.com/2010/09/21/warning-mouseover-tweets-security-flaw-is-wreaking-havoc-on-twit… Tweet Comments (0) Trackbacks (0) Leave a comment Trackback […]

  • http://www.adspedia.ro adspedia

    Seems like the new Twitter interface has found it’s untested bugs :)

  • http://mariuslobontiu.wordpress.com Marius

    It IS affecting TweetDeck. Check that. Not sure about other clients.

    • http://www.matthewfabb.com Matthew Fabb

      I see people on my Twitter feed in TweetDeck who have been affected, but rolling over their Tweets doesn’t trigger the JS. So it seems to me that TweetDeck is safe.

  • http://t3n.de/news/twitter-sicherheitsluecke-280175/ Security: Sicherheitslücke auf Twitter-Website, Welle manipulierter Tweets unterwegs » t3n News

    […] Warning: Mouseover tweets security flaw is wreaking havoc on Twitter Weitere Artikel zu Security und […]

  • http://twitter.com/anujahooja Anuj Ahooja

    QUICK FIX: Go to mobile.twitter.com and sign in. Then go to mobile.twitter.com/ and delete the forced retweet. Do this quick so that others don’t get effected. ALSO, don’t forget to change your password just in case.

  • http://burningbird.net Shelley

    So, if I understand all the postings on this correctly, Twitter does not clean its inputs? It doesn’t escape the text to prevent JavaScript in tweets? Seriously?

    I think it’s time to stop playing with Twitter and return to using software not created by rank amateurs.

  • http://www.sichelputzer.de/2010/09/21/twitter-mit-css-script-gehackt/ Twitter mit CSS-Script gehackt! | Telagon Sichelputzer

    […] Mehr zu dem Thema steht bei Sophos und Techcrunch. Auch die dpa hat eine passende Meldung zu dem Twitter-Hack verbreitet – hier in Version bei […]

  • http://twitter.com/bubs Bubs

    If you posted that malicious tweet and can’t delete it via the website… load up Twitter on your iPhone/other smart phone and delete it.

  • http://www.gogeeks.tv Paras

    Oh crap….rick roll has come to twitter?

    Luckily chrome has this: http://bit.ly/aODS2P

  • http://nik.pevik.com Nikolay

    seems like it is fixed now

blog comments powered by Disqus