Twitter users hit with 'mouse over' hack
If you were on Twitter's site earlier this morning and saw weird stretches of blacked-out text in other people's updates, I hope you didn't send the cursor over them. But if you fell for this hack and had your Twitter account temporarily hijacked, I understand; I probably would have done the same thing myself.
This attack raced through the popular update-sharing service. As Sophos researcher Graham Cluly explained in a blog post, it lured users to "mouse over" snippets of Web code that had been blacked out, then exploited a flaw in the older version of Twitter's site (not the new one launched with a flurry of hype a week ago) to send out a new copy of itself under victims' accounts and sent visitors to some sketchy Japanese porn site.
Because the attack's bait looked so innocuous -- it's not uncommon for Twitter users to play around with funny embedded graphics in their otherwise text-only updates -- many people fell for them. Around Washington, the best known may have been White House press secretary Robert Gibbs; the crestfallen update he sent right after getting suckered appears in the image at right. (Poor guy.)
Twitter users have reported that they got hit in both Windows and Mac OS X while using the latest versions of generally more secure browsers such as Mozilla Firefox and Google's Chrome. (Weirdly enough, others have told me they weren't affected while running similar software configurations.) An anti-virus program would not have helped, as the attack didn't involve running a separate program.
We're only going to see more of this nonsense as our applications increasingly take the form of Web sites. Web users need to retain a healthy level of suspicion online, and browser developers need to stay on top of these threats. But it's even more important for Web developers to spot and stomp these flaws as soon as they can.
Did you get hit by this hack? It's okay. Tell me if you had any inkling that the blacked-out text in somebody else's update was trouble, and what software you were using at the time.
| September 21, 2010; 12:19 PM ET
Categories: Security, Social media
Save & Share: Previous: 4G forecast: More details on Verizon's LTE plans
Next: Latest ACSI survey shows PC vendors doing better but still trailing Apple
Posted by: tmiller2009 | September 21, 2010 12:48 PM | Report abuse
Posted by: fakedude1 | September 21, 2010 1:13 PM | Report abuse
Posted by: wiredog | September 21, 2010 1:29 PM | Report abuse
Posted by: ShawnDC | September 21, 2010 2:02 PM | Report abuse
Posted by: timmdrumm | September 21, 2010 9:06 PM | Report abuse
Posted by: timmdrumm | September 21, 2010 9:07 PM | Report abuse
Posted by: tonybreed | September 22, 2010 10:06 AM | Report abuse