Jokers exploit Twitter security flaw

Posted by Emma Woollacott

A cross-site-scripting security flaw in Twitter is allowing pranksters to redirect visitors to third-party websites such as porn pages.

Victims of the onMouseOver exploit include Sarah Brown, wife of the former British prime minister, whose million-odd followers found themselves redirected to a Japanese hardcore porn site.

"don't touch the earlier tweet - this twitter feed has something very odd going on!", she warned.

The flaw allows users to post chunks of JavaScript code inside tweets, causing messages to pop up and third-party websites to open in in the user's browser when the mouse is simply moved over a link.

"It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed," says Graham Cluley of security firm Sophos.

"Hopefully Twitter will shut down this loophole as soon as possible - disallowing users to post the onMouseOver JavaScript code, and protecting users whose browsing may be at risk."

According to Cluley, some users also seem to be exploiting the loophole to create 'rainbow tweets' - tweets that contain blocks of color. Because these messages can hide their true content, he says, they might prove too hard for some users to resist clicking on them.

Cluley suggests that until the problem is fixed, users might be better off using a third-party Twitter client, rather than the Twitter.com website.