Twitter Javascript vulnerability: t.co links?

The twitter.com website was allowing naughty Javascript to be presented to users for a short while, and it looks like the t.co url shortener was to blame. The Javascript appears to be injected into tweets that are shortened via Twitter's own url shortening service, and includes a mouseover event that fires off a tweet of its own, propagating the 'virus' to your followers.

Twitter have now sorted out the affected tweets and issued an all-clear. Here is the notice on their status page:

We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.

We expect the patch to be fully rolled out shortly and will update again when it is.

Update (6:50 PDT, 13:50 UTC): The exploit is fully patched.

If you don't already use a desktop client, use twhirl to sign in to your account and remove any offending tweets the virus might have sent on your behalf.

To be honest, it does make you think: people/businesses have come to rely on Twitter as a communication channel if things go wrong, but what if Twitter itself goes wrong? There should always be a contingency in place, within reason.

Here are some tweets about the topic:

• @Malarkey What just happened?
• @gavinmontague What the hell are all you people doing using the Twitter website?!
• @f opened twitter on my browser. big mistake. Dear @twitter: learn what XSS and escaping means. QA took a break these days?
• @phpcamp RT: @ppk: TURN OFF TWITTER WEBSITE NOW! XSS attack in progress.
• @ruskin147 Oh dear - it looks like twitter.com has exploded - keep away until someone clears it all up
• @donncha Filtering my "All Friends" column in TweetDeck by "9999999999" is enlightening.
• @wordtracker RT @rishil: @davenaylor highlighted the JS exploit a year ago http://bit.ly/bByfwn #havingproblemswithyourtwitterwebpage?
• @chrisgarrett RT @alfox: Twitter Mouseover Security Flaw Affecting 000s of Users. http://mash.to/2HoSA *AVOID* twitter.com USE apps
• @TechCrunch Warning: Onmouseover Twitter Security Flaw Is Wreaking Tweet Havoc http://tcrn.ch/9aThkk by @mikebutcher
• @ruskin147 http://bit.ly/aasdU1 Top security blogger @gcluley on the Twitter flaw
• @ruskin147 http://bbc.in/aGaico BBC: "Twitter flaw pumps out spam links"
• @donncha RT @hopeless: Telling people to stay off twitter home page is like telling Dougal not to push the big red button
• @techradar Twitter 'onmouseover' security flaw hits Twitter.com http://ow.ly/2HpXr
• @DaveNaylor Another Day, Another Twitter Exploit - http://bro.gs/ycei
• @TheNextWeb More updates to the Twitter problems. Insight from Kaspersky security expert: "Turn off JavaScript for Twitter!" http://tnw.to/16oWB
• @chrisgarrett Caught by the Twitter exploit? -> RT @twowheelgeek: @socialscope allows you to edit your profile.
• @mashable Twitter Mouseover Security Flaw Affecting Thousands of Users [WARNING] - http://mash.to/2HrDf (updated with more info)
• @TechCrunch The Top 5 Ways To Avoid And Fix The Onmouseover Twitter Bug http://bit.ly/bxz6yx by @TCEurope
• @spam RT @safety: We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.
• @Scobleizer RT @seanodotcom: @Scobleizer It's not "patched" yet: "We expect the patch to be fully rolled out shortly and will update again when it is."
• @TheNextWeb Does today's Twitter attack signal a t.co failure? http://tnw.to/16oXW by @BradTNW on @TNWsocialmedia

For your convenience, here is Twitter's status feed: Timeout on http://status.twitter.com/rss
No channel data

Tweet

Comments

It's quiet in here...Add your comment