Video demonstration of a security vulnerability on Twitter that is being actively exploited. More details on Sophos Labs Graham Cluley’s blog …
Twitter is working on patching and preventing an XSS attack, which affected some Twitter user accounts by causing a mouse over action on certain links of a Twitter page to act as clicks to direct to another website. Some of those websites have been porn site, and the possibility exists that the click could direct people to a website that attempts to download a harmful payload to the user’s computer.
People are advised not to use Twitter until a fix is announced.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. The impact of an XSS attack may range from a minor nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site’s owner.
White House press secretary Robert Gibbs and Sarah Brown, wife of the former British Prime Minister Gordon Brown, are among those whose Twitter accounts have been affected by the security hole.