Twitter Fixes Security Flaw After Thousands Hit

Twitter says it has identified and patched the XSS attack.

ByABC News
September 21, 2010, 9:10 AM

Sept. 21, 2010— -- After a new Twitter security hack created chaos for thousands of users, the company said it had fixed the problem.

"We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," Twitter said on its status blog. Soon after, the company said the breach had been fully patched.

But before the company addressed the flaw, it could have affected hundreds of thousands of Twitter users, according to an expert with computer security firm Sophos.

The flaw spread quickly because it allowed unwanted messages and websites to open in browsers as users moved their mouses over the links. Without even a click, users were directed to porn and other potentially unsavory websites.

It could have moved especially quickly because, in some cases, mousing over a malicious link appeared to cause the hack to automatically spread to other followers, said " target="_blank">Graham Cluley, a senior technology consultant at Sophos.

"It's just throwing gas on to the fire," he told ABCNews.com.

According to Cluley, the new "OnMouseOver" security flaw affected thousands of users, including the British prime minister's wife, Sarah Brown.

On his blog, Cluley wrote that the flaw had been exploited to send visitors to Brown's Twitter page to a hardcore porn site in Japan. As soon as Brown noticed the problem, she tweeted a warning to her more than 1 million followers.

Until the hole had been fixed, Cluley warned Twitter users to stay off the site altogether and to use third-party sites, such as TweetDeck or Seesmic, instead. The mobile Twitter application appeared to be unaffected.

Cluley said some users appeared to use the flaw for fun, but it could have opened the door for cybercriminals to unleash more malicious and harmful attacks.

"There is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed," Cluley wrote.