Neowin User Michael Forcer tipped us off to a potentially dangerous new cross-site-scripting vulnerability in Twitter. The script (for the sake of disclosure as this vulnerability is making the rounds):
http://twitter.com/[yoururl]#@"style="background-color:white;color:white"onmouseover="alert(insert script here)"/
The URL exploited the ability to pass scripting on a mouseover. This vulnerability was due to Twitter's hyperlinking of usernames by passing the script after the @ tag. Twitter identified and patched the issue after several hours on Tuesday.
Thousands of Twitter accounts posted messages exploiting the flaw. Most Twitter users used the flaw for fun and games according to Graham Cluley at Sophos. "Hopefully Twitter will shut down this loophole as soon as possible", Cluley wrote in a blog post describing the vulnerability. The script made the rounds by retweeting automatically without mouseover.
Twitter confirmed it had fixed the flaw after several hours in a company blog post. "We've identified and are patching a XSS attack", the post said. It was later updated to confirm the flaw had been successfully patched.
This isn't the first time that such a large flaw has existed on Twitter's main website. In early May this year, Twitter users were able to force others to follow them with a simple command inside a tweet. Twitter was quick to act over the flaw. The company issued a status message indicating that the bug was remedied and that protected updates did not become public as a result of the "bug". This latest flaw comes a week after the company announced plans for a total overhaul of Twitter.com.
Image Credit: Richard Scott (Flickr)