Scope (?):  All Topics
2 4 6
10 8 2
Hot or Not?

Twitter Cross-Site (XSS) Exploit Discovered & Fixed

submitted on September 21, 2010 by pablos17 in "Member's Lounge"
(CNN) -- Thousands -- possibly hundreds of thousands -- of Twitter users have been hit by a security bug that causes potentially dangerous content to appear on computer screens without warning, according to a researcher at the security firm Sophos.

When users of the popular site "mouse over" a link on, the content appears even if the person did not click on it, says Graham Cluley, the researcher, who recommends users avoid until the issue is fixed.

"It's obviously the most natural thing in the world just to move the mouse across the screen," he said in an interview with CNN. "You don't have to click on a link."

The bad links may also be retweeted, or sent to that person's followers, which causes the security flaw to spread across the network.

The bug could be harmless, doing nothing other than taking users to websites that they did not intend to open, Cluley said. But it also could be exploited by hackers who could use the bug to install malicious software on a person's computer, allowing them to collect personal and financial information, he said.

It appears to affect both the new and old versions of, he said. The site recently updated its look and functionality to include links and videos that open within the pages of Twitter's website. Using the site through third-party software, like TweetDeck or Seesmic, should still be safe, he said.

  • 80134
    2 4 6
    10 8 2
    Posted by pablos17 on September 21, 2010
    [reply] 3 0
    I posted this discussion thread to recommend an invaluable add-on that I cannot live without called NoScript which I use with my preferred browser, Firefox. It blocks cross-site scripting and has more than likely save me from getting malware on numerous occasions. It actually notified me of a cross-site scripting attempt on Twitter and blocked any further action. I even had a strange occurrence with my Yahoo mail about a year ago where it blocked some cross-site scripting attempts. After I notified Yahoo of such attempts I saw that the notifications disappeared about a day or so later.

    I'm not sure if this add-on is available to other browsers, but I know that it works well with Firefox.

    The script blocking can be rather stringent unless you allow scripts globally (which setting still blocks XSS), but you can still manually block certain scripts from running on a page (e.g. Google Analytics) to keep big brother from spying on you. Eeek
    • YanBz
      Posted by YanBz on September 21, 2010
      [reply] 2 0
      Installing it now!
  • 80157
    2 11 9
    12 9 2
    Posted by siggy38 on September 21, 2010
    [reply] 2 0
    Thanks for the heads-up pablos17. Big Grin

Leave a Comment (members Sign in to comment)


E-Mail (will not be published)

2 x 3 = ?


'Mr Green''Neutral''Twisted''Arrow''Eek''Smile''Confused''Cool''Evil''Big Grin''Idea''Red Face'



Browse by tags