from www.foxnews.com – Hackers exploited a security flaw on the popular micro-blogging site Twitter, retweeting malicious code, activating pop-ups, and even exposing users to an unwanted sight: hard-core pornography.
As of 9:50 a.m. EST, a post to Twitter’s status blog said that the security flaw had been fixed, simply stating “The exploit is fully patched.” This confirms what a spokesperson for the company told popular tech news site Mashable ten minutes later: “It should now be fully patched and is no longer exploitable.”
Twitter is once again safe to visit.
According to security analysis firm Sophos, simply running your mouse over certain tweets could activate pop-ups, send you messages, or even redirect you to another site. And a number of Twitter accounts were redirecting users to hardcore pornography sites — including the feed of Sarah Brown, wife of former British Prime Minister Gordon Brown. And plenty of those malicious messages had been posted, said security company Sophos.
“It’s tens of thousands if not hundreds of thousands of messages that have been posted,” Sophos senior technology consultant Graham Cluley told FoxNews.com. The hack utilized the onMouseOver JavaScript code to run automatically when a user visits the Twitter.com site, tweeting itself out to other users and redirecting users to malicious sites, sometimes hardcore pornography sites.
Twitter representatives were not immediately available for comment, but the company’s safety account did mention that the problem had been fixed, at 10 a.m. EST. “The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it,” the company wrote in its Safety news feed.
The attack was broad, affecting tens or hundreds of thousands — and should never have existed in the first place, Cluley noted.
“It’s pretty widespread and has left some major egg on the face of Twitter,” Cluley told FoxNews.com. He explained that there was no reason for code like this to run at all, much less act in such a malicious fashion — a security flaw the company ought to have flagged itself, he said.
“It shouldn’t be possible to plant JavaScript code like this into your tweets,” he said.
And the porn may not be the worst part, warned Sophos’s Cluley. “It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code,” Cluley pointed out.
Many current security risks are two-part procedures, he said: First they take over a browser and redirect the PC to a compromised website, then they load up additional code to continue the exploit. There were also less dangerous uses for the flaw, of course.
“Some users are also seemingly deliberately exploiting the loophole to create tweets that contain blocks of color (known as ‘rainbow tweets’). Because these messages can hide their true content they might prove too hard for some users to resist clicking on them,” Clulely said.
Cluley advised people to stay away from Twitter.com, before the patch arrived, since third-party applications that access Twitter such as the popular TweetDeck were immune to the JavaScript flaw.