Tweet Has Now Been "Identifed And Patched"

Twitter now says that the XSS attack has now been "identified and patched".

"We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit."

"We expect the patch to be fully rolled out shortly and will update again when it is."

Already, Favstar has seen more than 24,000 retweets of one particular implementation of the bug. A quick look at the trending topics this morning shows quite how quickly the exploit has spread, with "Exploit", "Security Flaw", "Mouseover", "Onmouseover" and "XSS" taking up five of the top 10 topics.

Both Mashable and TechCrunch report having seen the exploit used to open pop-up windows, redirect users to porn sites and simply do "funny, rick-rolling type stuff", but the nature of the exploit appears to be changing quickly as the morning goes on.

Goerg Wicherski, a Kaspersky Lab Expert writing on the exploit warns that users should turn off Javascript for Twitter. "It is possible to load secondary Javascript from and external URL with no user interaction, which makes this definitely wormable and dangerous," he writes.

Twitter user Judofyr noted earlier this morning that there appeared to be an "ugly XSS hole in Twitter right now" and now says that, as far as he knows, he "started the first worm" but can't say for sure.

For now, the best bet with the website (although the new doesn't appear affected) is to avoid it until further notice. However, if you can't hold on any longer third party clients say they are standing up against the attack and are the safe route to take along the bumpy 'flaw'.

print this article

Return to security news headlines
View Security News Archive

Share with: