Security firm Sophos posted a blog entry on Tuesday highlighting a new and potentially dangerous hack of Twitter's web interface that has begun to circulate.
The hack, which affects only Twitter.com and not third-party clients, works by putting a piece of JavaScript code ('onmouseover') into a URL in a tweet. This causes a pop-up message to emerge when someone hovers a cursor over that link. The loophole appears to work in both the redesigned Twitter web interface that was launched on Wednesday and the previous version.
Sophos notes that the exploit is spreading rapidly and that it is now being used to redirect to some hardcore porn sites. The security hole is now being used to 'auto-tweet' more mouseover links, and thousands of Twitter users are falling prey to it. For the time being, using a third-party Twitter client may be the safest option.
UPDATE: Twitter has announced in a blog entry that it has patched the flaw. According to a post from Del Harvey, Twitter's head of trust and safety, the "attack should now be fully patched and no longer exploitable".
For more on this ZDNet UK-selected story, see Sophos highlights Twitter URL vulnerability on CNET News.
Twitter has been hit by a Javascript hack Screenshot: @Wiggysan
