Twitter Fixes Security Flaw After Thousands Hit

Twitter says it has identified and patched the XSS attack.

Sept. 21, 2010— -- After a new Twitter security hack created chaos for thousands of users, the company said it had fixed the problem.

"We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," Twitter said on its status blog. Soon after, the company said the breach had been fully patched.

But before the company addressed the flaw, it could have affected hundreds of thousands of Twitter users, according to an expert with computer security firm Sophos.

The flaw spread quickly because it allowed unwanted messages and websites to open in browsers as users moved their mouses over the links. Without even a click, users were directed to porn and other potentially unsavory websites.

It could have moved especially quickly because, in some cases, mousing over a malicious link appeared to cause the hack to automatically spread to other followers, said " target="_blank">Graham Cluley, a senior technology consultant at Sophos.

"It's just throwing gas on to the fire," he told ABCNews.com.

According to Cluley, the new "OnMouseOver" security flaw affected thousands of users, including the British prime minister's wife, Sarah Brown.

On his blog, Cluley wrote that the flaw had been exploited to send visitors to Brown's Twitter page to a hardcore porn site in Japan. As soon as Brown noticed the problem, she tweeted a warning to her more than 1 million followers.

Security Experts: Flaw Opens Door for Cybercriminals to Unleash Attacks

Until the hole had been fixed, Cluley warned Twitter users to stay off the site altogether and to use third-party sites, such as TweetDeck or Seesmic, instead. The mobile Twitter application appeared to be unaffected.

Cluley said some users appeared to use the flaw for fun, but it could have opened the door for cybercriminals to unleash more malicious and harmful attacks.

"There is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed," Cluley wrote.

Twitter Flaw's Origins Not Known

While Cluley said it's difficult to know exactly where the hack started, he said it seemed that a Twitter user was showing others how to use the flaw to generate rainbows when people moused over a link. Once news of the flaw spread, it's possible that the more maliciously minded used the security hole for thier own purposes.

To see how the hack actually worked on Twitter, check out a video Clulely posted a on YouTube.