Twitter.com Shuts Down 'onMouseOver' Attack
It's the message that tens of thousands of Twitter.com users could have used Tuesday morning after a rapidly spreading worm pummeled them with pop-ups, spam and pornographic tweets and then re-tweeted them to everyone on their contact list.
Twitter said early Tuesday that the attack -- known as the onMouseOver attack due to the type of JavaScript used -- had been effectively eliminated and that no user account information, such as usernames and passwords, had been compromised.
"We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit. We expect the patch to be fully rolled out shortly and will update again when it is," Twitter executives said in a blog post Tuesday.
The company later provided an update alerting users that "The exploit is fully patched."
The attack was launched when hackers exploited a cross-site scripting vulnerability that leveraged the onMouseOver JavaScript code designed to run automatically once users visited Twitter.com. Some users received an enhanced version of the attack that re-tweeted itself out to all the Twitter followers on their contact lists.
Micro-blogging site Twitter has been the brunt of numerous spam and malware attacks as it experienced exponential growth in 2009 and 2010.
This latest attack was distinguished by the fact that users didn't even have to click on the malicious tweets for them to be activated. Rather, users only had to scroll their mouse over the tweets in order to be subjected to serial pop-ups, Technicolor and pornographic tweets.
However, the attack only seemed to target Twitter.com, but didn't affect third party apps, such as Tweetdeck and Tweetie, used to read tweets on alternative platforms.
Meanwhile, despite its abbreviated life span, the attack likely managed to affect tens of thousands of users, including Sarah Brown, the wife of the former British prime minister, with more than 1.1 million followers; White House Press Secretary Robert Gibbs, with 97,000 followers; and the White House's official Twitter feed, which touts 1.8 million followers.