Updated: The Twitter.com website has been hit by a security breach that allows hackers to send bogus messages and malicious links out through a user’s account, and all a Twitter user has to do to trigger the spam is to move their mouse over a link on the Twitter site. According to the security software firm Sophos, reports of the exploit started surfacing early Tuesday morning, and the issue has affected some high-profile accounts, including Sarah Brown — the wife of the former British Prime Minister. In some cases, hackers appear to be re-directing users to porn sites.
Update: According to security consulting firm Kaspersky Labs, a new version of the exploit known as an XSS attack can trigger activity in a user’s account — including popup windows as well as auto-sending messages with malicious links — without any mouseover or clicking on the part of the user. All that is required is that a user load the page. Twitter’s @safety account says the company is working on repairing the issue, and asks Twitter users to send email if they have any more information on the XSS exploit.
Update: A post on the company’s status blog says that Twitter has patched the website to shut down the vulnerability, and that the fix should be available for all users as of 6:50 PDT or 13:50 UTC. An update on the Twitter blog says that the mouseover security hole was discovered and patched a month ago, but a recent site update (unrelated to the launch of the new Twitter site) reinstated the bug.
Sophos and other online security experts are recommending that users avoid the Twitter.com website until the security flaw is fixed. The issue appears to only affect the old version of the site and not the latest redesign, which is still in the process of being rolled out. We will be updating this post as more information becomes available.
Related GigaOM Pro content (sub req’d):
Why Google Should Fear the Social Web
Post and thumbnail photos courtesy of Graham Cluley of Sophos