Twitterers should watch out for a security flaw on Twitter that can automatically redirect users to third-party sites and launch pop-ups--even without users clicking on the spurious links.
Initially dubbed the Twitter "mouseover bug"--just hovering your mouse over an infected link can launch pop-ups and third-party sites--the exploit, which uses the onMouseover Javascript command, seems only to be affecting users on Twitter.com. Users are advised to stay off the site and use third-party applications until it is resolved. TweetDeck, one third-party Twitter client, noted, "Affected tweets show up in TweetDeck as containing code/script. Just ignore/delete such tweets & do not view on twitter.com until fixed."
There are also reports that the new version of Twitter, unveiled last week, is not affected.
Business ETC offers one explanation of how the glitch started spreading:
[U]sers began seeing large chunks of blacked-out text in timelines, which - when hovered over by users mistaking the message for blacked-out formatting - automatically filled the 'New Tweet' space on the page and tried to post the message.
The code in question is a JavaScript exploit which masquerades itself as a traditional hyperlink, so as to evade Twitter's automatic filters, but triggers a sequence that automatically posts the same message to a user's own timeline, thus continuing its spread.
Graham Cloley noted on his Sophos blog, "It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed."
Mashable estimates that the security flaw "has been widely exploited on thousands of Twitter accounts." Cloley observed that Sarah Brown, the wife of the former British Prime Minister, was affected. @MikeCane tweeted, "This thing is spreading so fast that Search Twitter cannot update fast enough." Another user, @Mikeful, wrote, "Seems like Twitter onmouseover-exploit is spreading like wildfire. Search page tells "14000 new tweets" after waiting 10 seconds." Because the exploit seems able to "fill and submit a status update form 'on your behalf,'" TechCrunch reports the onMouseover exploit may have spread to as many as 40,000 tweets in just 10 minutes.
Recommended reading:
* LOL is this you - Twitter latest phishing scam
* Twitter Service Temporarily Unavailable