This site uses cookies to improve your experience and to provide services and advertising.
By continuing to browse, you agree to the use of cookies described in our Cookies Policy.
You may change your settings at any time but this may impact on the functionality of the site.
To learn more see our
Cookies Policy.
Download our app
Twitter acts to block mouse-over autopost scams
Updated 14:30, 15:05
TWITTER HAS MOVED to implement a short-notice security patch after the service was swamped by a rampant JavaScript exploit that automatically posted itself to a user’s timeline simply by hovering the mouse over it.
Users were forced to avoid using the service’s website and instead to use third-party applications, after a series of malicious security exploits spread like wildfire over the microblogging platform.
Shortly after noon, users began seeing large chunks of blacked-out text in timelines, which – when hovered over by users mistaking the message for blacked-out formatting – automatically filled the ‘New Tweet’ space on the page and tried to post the message.
The code in question was a JavaScript exploit which masquerades itself as a traditional hyperlink, so as to evade Twitter’s automatic filters, but triggered a sequence that automatically posted the same message to a user’s own timeline, thus continuing its spread.
The rapid proliferation of such malicious messages across the site that the Twitter security staff were forced to issue a short-notice update to the site, so as to stop such tweets from constantly republishing themselves.
Perhaps ironically, one version of the bogus “link” purported to direct to a fictional site called a.no – or, if read aloud, “Ah No”. Naturally, no such site exists.
Other versions of the malicious tweet substituted in the ‘t.co‘ website – Twitter’s in-house URL shortening service, so as to further bolster their appearance of legitimacy.
Because the exploit affected all browsers using JavaScript, it was unavoidable unless users deactivated the JavaScript function from within their browser.
The exploit also manifested itself as a string of tiny characters (right), which activated the hack when hovered over:
Other users reported seeing ‘giant text’ when logging into the Twitter.com web-based service, though it is not known if that exploit was an identical one or a similar security flaw.
Another version of the flaw – including one that infected the account of Sarah Brown, wife of former British prime minister Gordon – redirected to Japanese pornography websites.
To embed this post, copy the code below on your site
Internet Security JavaScript OnMouseOver Twitter