Filed under: Security
Sophos Labs' Graham Cluely posted this morning about a nasty little Twitter security flaw that is being actively exploited. Twitter apparently doesn't block onMouseOver JavaScript code, which (you guessed it!) kicks in when your mouse pointer passes over a specially crafted link.
What happens next is up to the creator. It could be something harmless like the alert box you see above, or it could just as easily be a rogue antivirus pop-up or some nasty porn site. Again, you don't need to click -- you simply have to mouse over a link. As Cluely points out, all Twitter really needs to do is block the OnMouseOver text from being displayed.
TweetDeck reminds users that this exploit doesn't affect third-party clients. Unless you're using twitter.com, you should be totally safe.
At this point, probably 70% of the users I question about how they got an infection are telling me that they were fine until they clicked something from a friend on Facebook or Twitter. I'm starting to think those two sites are going to play cat-and-mouse with Adobe Reader and the Flash Player plug-in for the "who can cause the most malware infections" crown.
update: Twitter responded in a hurry, and the exploit has already been patched.Twitter onMouseOver flaw poses huge risk to users, is being actively exploited originally appeared on Download Squad on Tue, 21 Sep 2010 09:00:00 EST. Please see our terms for use of feeds.Read | Permalink | Email this | Comments
No comments:
Post a Comment