tumblr hit counter

OnMouseOver XSS Vulnerability on Twitter

Sep 21

This morning we observed a Cross Site Scripting (XSS) attack taking place on Twitter.  This particular vulnerability took advantage of the onmouseover function in JavaScript, which works by executing JavaScript code by simply moving your mouse over some text.

The following status updates were observed, causing unsuspecting user feeds to fill up with images of rainbows:

Mouseover Vulnerabilty on Twitter

Mouseover Vulnerabilty on Twitter

After hovering over the mouseover code:

Tweet after Mouseover Vulnerability

Tweet after Mouseover Vulnerability

Here are some of our observations on this attack:

  • The malicious string can be automatically sent to followers, continuing the distribution of the tweet in a worm like fashion.
  • Strange messages appear with giant letters, dialog boxes reading “Hello”, blacked out tweets, etc.
  • Anyone visiting their profile may be redirected to another web address.

This particular attack could have been nasty in the hands of skilled cyber criminals, but fortunately the Twitter staff have already patched the site against this and future attacks like it.

Twitter Status Update

Twitter Status Update

Post to Twitter

  • (2) Comments


  1. melina says:

    Hi, just a suggestion: it would be great to have a search box in this blog.


  1. [...] Informationen auf dem Blog der Pandalabs Weitere verwandte [...]

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Become a fan!

    Panda Security on Facebook
  • Blogroll

  • Categories