Modernizing Authentication — What It Takes to Transform Secure Access
A mouseover hack is disrupting service on microblogging site Twitter, redirecting followers of some of the most popular users' feeds to pornography sites and exposing their PCs and mobile devices to spam and malware.
For now, Sophos is urging Twitter users to employ third-party software alternatives until the flaw is fixed.
"It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed," Sophos analyst Graham Cluley wrote in a blog post.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
Thousands of Twitter accounts have already posted messages exploiting the flaw, including Sarah Brown, the wife of the former British Prime Minister. Brown posted a warning on her Twitter page, advising her one million-plus followers to "don't touch the earlier tweet -- this twitter feed has something very odd going on!"
Sophos security analysts said the mouseover hack works in the redesigned Twitter Web interface launched last week, as well as with its predecessor.
Twitter officials acknowledged the vulnerability and said the company is racing to resolve the issue.
"We've identified and are patching an XSS attack," the company said in a tweet. "We expect the patch to be fully rolled out shortly and will update again when it is."
Social networking sites like Facebook and Twitter continue to provide fertile fields of opportunity for hackers looking to spread malware and spam to a huge audience as fast as possible.
Earlier this year, Twitter was targeted by a scam that used truncated URLs embedded in tweets to send followers to a variety of malicious sites.
That particular infestation peaked at a total of 23.4 billion messages during one 24-hour period, accounting for more than 18 percent of all spam emails for the day.
Follow eSecurityPlanet on Twitter @eSecurityP.