Network News

X My Profile
View More Activity

Twitter users hit with 'mouse over' hack

If you were on Twitter's site earlier this morning and saw weird stretches of blacked-out text in other people's updates, I hope you didn't send the cursor over them. But if you fell for this hack and had your Twitter account temporarily hijacked, I understand; I probably would have done the same thing myself.

This attack raced through the popular update-sharing service. As Sophos researcher Graham Cluly explained in a blog post, it lured users to "mouse over" snippets of Web code that had been blacked out, then exploited a flaw in the older version of Twitter's site (not the new one launched with a flurry of hype a week ago) to send out a new copy of itself under victims' accounts and sent visitors to some sketchy Japanese porn site.


Because the attack's bait looked so innocuous -- it's not uncommon for Twitter users to play around with funny embedded graphics in their otherwise text-only updates -- many people fell for them. Around Washington, the best known may have been White House press secretary Robert Gibbs; the crestfallen update he sent right after getting suckered appears in the image at right. (Poor guy.)

Twitter quickly posted warnings on its status blog and its "@Safety" Twitter account. About an hour later, it had fixed its old site to close the vulnerability.

Users of the redesigned version of Twitter were not affected, nor were those using mobile versions of the site or such separate applications as TweetDeck or Twitterfall. But because this attack -- in technical terms, a "cross-site scripting" -- took advantage of nothing more complicated than a Web browser's support for JavaScript coding, pretty much everybody else was vulnerable.

Twitter users have reported that they got hit in both Windows and Mac OS X while using the latest versions of generally more secure browsers such as Mozilla Firefox and Google's Chrome. (Weirdly enough, others have told me they weren't affected while running similar software configurations.) An anti-virus program would not have helped, as the attack didn't involve running a separate program.

We're only going to see more of this nonsense as our applications increasingly take the form of Web sites. Web users need to retain a healthy level of suspicion online, and browser developers need to stay on top of these threats. But it's even more important for Web developers to spot and stomp these flaws as soon as they can.

Did you get hit by this hack? It's okay. Tell me if you had any inkling that the blacked-out text in somebody else's update was trouble, and what software you were using at the time.

By Rob Pegoraro  | September 21, 2010; 12:19 PM ET
Categories:  Security, Social media  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: 4G forecast: More details on Verizon's LTE plans
Next: Latest ACSI survey shows PC vendors doing better but still trailing Apple


NoScript for Firefox, which includes XSS protection, to the rescue. WinXP, Firefox, no problems.

Posted by: tmiller2009 | September 21, 2010 12:48 PM | Report abuse

I wonder if the people affected had an AV package installed. They should have gone to:

Posted by: fakedude1 | September 21, 2010 1:13 PM | Report abuse

An XSS attack? Really? In this day and age? This is an old (for the web) type of attack. No web site should be vulnerable to this sort of thing because all web developers (including me) know to sanitize their inputs in order to avoid a "Bobby Tables" incident:

Posted by: wiredog | September 21, 2010 1:29 PM | Report abuse

I got hit by the attack and didn't even actively pull my cursor over the effected text. My mouse must have already been hovering in the wrong place when the page loaded. Having something so passively activated is scary! I can only imagine that there is more of this to come. Hopefully this relatively harmless attack sent up red flags and this type of security hole is being plugged across the board right now.

Posted by: ShawnDC | September 21, 2010 2:02 PM | Report abuse

Interesting... I received an e-mail just abut an hour ago telling me I had a message on Twitter. I don't even have a Twitter account! Wonder if this is related to the above mentioned attack??

Posted by: timmdrumm | September 21, 2010 9:06 PM | Report abuse

Interesting... I received an e-mail just about an hour ago telling me I had a message from Twitter. They did a pretty good job of making it look official, but I knew something was strange: I don't even have a Twitter account! Wonder if this is related to the above mentioned attack??

Posted by: timmdrumm | September 21, 2010 9:07 PM | Report abuse

I got hit. What it was (for me at least) was not some kind of blacked-out text in someone else's status; it was a gray overlay over the whole site (like a lightbox effect without the lightbox), with some text running along the top of the site, superimposed over everything else. It looked like the site was broken.

I tried to figure out what was going on. I moved my cursor a little and the text twitched and changed very rapidly, and then Twitter popped up a message that I'd retweeted someone. The mouseover area may have been the entire page, since that had a gray overlay, or it may have been that line of text running along the top. Either way, it was hard to avoid, especially if you didn't know you needed to avoid something.

The browser I was using was Chrome.

Posted by: tonybreed | September 22, 2010 10:06 AM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.

characters remaining

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company