Twitter hackers hit rollover jackpot

If you’re a Twitter user, it’s best to steer clear of the main site for the time being. A cross-site scripting error has led to everything from whimsical fun and games to full-on hacking attempts.

The site itself hasn’t been hacked as such, but users both fair and foul have been exploiting a flaw that allows links posted at Twitter.com to be active just from a rollover rather than a click, using the old-school Ja vascript onMouseOver function.

If you remember this from the early days of web page building, you’ll probably remember hooking up a link to produce a pop-up message to read “you smell” when the mouse rolls over it. And there’s certainly plenty of that type of japery going on, but some of the abuse is more serious.

As well as spammers exploiting the bug to produce pop-up advertising, those of a more malicious nature have been setting links to open automatically. That’s being done by using a URL shortener to get the full link in but still allow the javascript command to be inserted in a way that isn’t filtered out by the Twitter site.

A post on the account of Sarah Brown, the wife of the former British Prime Minister, is reported to have redirected readers to a Japanese hardcore porn site. And there are also reports of rollovers links sending users straight to malware sites that, for example, use a worm to hijack the Twitter account and post more links (which is presumably what happened to Brown.)

The issue doesn’t appear connected to the new Twitter.com homepage design that is being rolled out to users: it’s affecting visitors to both the original and revised site. Third-party applications are unaffected.

If you really feel the need to use a web version of Twitter, the version formatted for mobile devices (mobile.twitter.com) appears to be safe at the moment, with the infected links simply appearing as a string of code. Visting that site is also a quick way to see how rapidly the problem is spreading among your contacts.

(Picture credit: Sophos)