Twitter Website Hacked, User Accounts Filled With Spam

Updated: The website has been hit by a security breach that allows hackers to send bogus messages and malicious links out through a user’s account, and all a Twitter user has to do to trigger the spam is to move their mouse over a link on the Twitter site. According to the security software firm Sophos, reports of the exploit started surfacing early Tuesday morning, and the issue has affected some high-profile accounts, including Sarah Brown — the wife of the former British Prime Minister. In some cases, hackers appear to be re-directing users to porn sites.

Update: According to security consulting firm Kaspersky Labs, a new version of the exploit known as an XSS attack can trigger activity in a user’s account — including popup windows as well as auto-sending messages with malicious links — without any mouseover or clicking on the part of the user. All that is required is that a user load the page. Twitter’s @safety account says the company is working on repairing the issue, and asks Twitter users to send email if they have any more information on the XSS exploit.

Update: A post on the company’s status blog says that Twitter has patched the website to shut down the vulnerability, and that the fix should be available for all users as of 6:50 PDT or 13:50 UTC. An update on the Twitter blog says that the mouseover security hole was discovered and patched a month ago, but a recent site update (unrelated to the launch of the new Twitter site) reinstated the bug.

Some hackers seem to be using the exploit to send random bits of code, which could be related to the original vulnerability — a well-known security issue that uses the Javascript “onmouseover” attribute to pop up windows and trigger other events. In this case, some hackers are using it to send tweets, or to popup windows with malicious links in the hope that some users will click on them. Some Twitter users have been sending out messages that have the words blacked out, which appears to be an attempt by hackers to get other users to click on the message and trigger a malicious link.

Sophos and other online security experts are recommending that users avoid the website until the security flaw is fixed. The issue appears to only affect the old version of the site and not the latest redesign, which is still in the process of being rolled out. We will be updating this post as more information becomes available.

Related GigaOM Pro content (sub req’d):
Why Google Should Fear the Social Web

Lessons From Twitter: How to Play Nice With Ecosystem Partners

What We Can Learn From the Guardian’s Open Platform

Post and thumbnail photos courtesy of Graham Cluley of Sophos