September 21, 2010, 11:02 AM — Twitter has a big problem. A new security design flaw is now being heavily exploited. Here's what you need to know now.
First, don't use Twitter. Third-party programs, such as TweetDeck, twhirl, and Twitterfall seem to be immune to the problem.
If you are using Twitter, the security hole will "appear" to be a block of black text. What it actually is though is a tiny JavaScript program. If you even just place your mouse over the text, no need to click, you'll activate the program. This "mouseover bug" can then launch potentially malicious pop-ups, send you up to third-party sites, or even send out more tweets, thus spreading the problem.
On other Twitter readers though the exploit code, which uses the OnMouseOver JavaScript command, will show up as a code fragment. The one below, for example, showed up as coming from a friend earlier today:
onmouseover="document.getElementById('status').value='RT Matsta';$('.status-update-form').submit();"class="mod
The root of the problem is a cross-site scripting (XSS) vulnerability in the Twitter Web page. As such, it can potentially affect you no matter what operating system or Web browser you're using. Really, your best move is just to avoid the Twitter site until the problem is fixed.
You can also avoid falling into this security hole by turning off JavaScript in your browser. Unfortunately, that "fix" will make many popular sites less usable. If that's the way you want to go though, here's how to do it in the most popular browsers:
Chrome
1. Select the Tool tab at the top right-hand corner
2. Click on Preferences
3. Go to "Under The Hood"
4. Click on "Content Settings"
5. Click on the "JavaScript" tab
6. Click on: "Do not allow any site to run JavaScript."
7. Click on Close
Internet Explorer
1. Select Internet Options from the Tools menu.
2. Click the Security tab.
3. Click Custom level in Security level for this zone.
4. Scroll down to Scripting, near the bottom of the list.
5. Under Active scripting, choose Disable.
6. Click OK to leave Security Settings. Click OK to leave Internet Options.
Firefox
1. Select Options from the Tools drop-down menu.
2. Select the Content section from the options at the top of the pop-up page.
3. Uncheck the "Enable JavaScript" box.
4. Click OK.
Safari
1. Select Preferences from the Safari drop-down menu.
2. Select the Security section from the options at the top of the pop-up page.
3. Under "Web Content," uncheck the "Enable JavaScript" box.
4. Close the Security window.
Twitter cliams they just fixed the problem. I'm not ready to give the all-clear yet myself. I'm still using Twitter, but I'm only doing it with my favorite Twitter application, Twitterfall.
At the same time, I'm finding this a painful reminder of just fragile and insecure many popular Web sites really are. It's enough to make me miss the "Fail Whale."
