Black Web 2.0
Twitter Security Flaw Lets You Execute Javascript 'onmouseover'
Sep 21, 2010 Aug 20, 2013

Update. The bug has been patched and rolled out. In addition, Twitter has added two new features to the updated interface: Reply to All and auto-complete for Twitter names.
We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.

We expect the patch to be fully rolled out shortly and will update again when it is.

Update (6:50 PDT, 13:50 UTC): The exploit is fully patched.
A pretty dangerous bug has just been discovered on Twitter that lets users embed Javascript in tweets which will execute once your mouse moves over the tweet. This is dangerous because it could be used to redirect your browser to a malicious website and potentially harm your computer.

Most users are just using the exploit for fun, using Javascript's "alert" function to popup messages like "I Love You" and "Hola." In the case of Sarah Brown, wife of the former British Prime minister, tweets appearing in her stream were redirecting visitors to a hardcore Japanese porn site. Definitely not a good look for her over 1 million followers.

She first posted a warning on her page to try to protect visitors, saying "don't touch the earlier tweet - this twitter feed has something very odd going on ! Sarah." Her profile now shows up as protected. Not sure if it was always so or if this is a more drastic attempt to protect her followers.

At the time of this writing, there has been no statement issued from Twitter and, in my testing, the exploit is still active. There are a few ways to protect yourself, but first and foremost is to completely stay off of Twitter.com. It appears that the exploit only works if you haven't been upgraded to the new Twitter interface, but better safe than sorry. Also, if you are using a third-party client like Tweetdeck, you should be in the clear.

Many affected tweets appear as a black box or in rainbow colors. This is a red flag as the colors hide the content of the tweet, but all affected tweets are not hidden this way. If you absolutely must use Twitter using the old interface at Twitter.com, avoid moving your mouse cursor into the tweet area. It's very easy to activate these things and, if Twitter doesn't do something about it quick, it's only a matter of time before someone gets creative.

With most users still using Twitter via the web interface, this is a serious issue that needs to be resolved immediately. It's very surprising that a bug this simple wasn't caught in testing and is only being discovered now. (Update: This flaw was corrected a month ago, but was re-introduced in a recent update completely unrelated to the new Twitter)

Have you seen or been affected by this bug?

via Sophos, Twitter Blog