Chaos on Twitter as ‘onMouseOver’ flaw is exploited


21 Sep 2010

Users are being advised to avoid the main Twitter website after an exploit that allows tweets to redirect users to other websites or repost themselves repeatedly.

The attack took advantage of the main Twitter’s web interface, which fails to disallow the ‘onMouseOver’ Javascript command.

The exploit tries to redirect users to other websites or automatically reports the tweets simply if the user hovers over the affected tweet.

The tweets involved were in large letters, making it difficult to avoid hovering over them.

The flaw was reported by Sophos, who notes that many users are exploiting this flaw just for fun, but warn it could be used for cyber crime.

“There is obviously the potential for cyber criminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed,” said Graham Cluley.

Among those affected include Sarah Brown, the wife of former British Prime Minister Gordon Brown. She then warned users to avoid the affected tweet.

The exploit doesn’t affect the majority of third-party Twitter clients. Users are advised to use these clients, such as Tweetdeck or Seesmic, as opposed to the main website.

Users should also avoid mousing over any like with the ‘onmouseover’ command or that is disguised by colours.