Dublin: 11 °C Saturday 8 May, 2021

Twitter acts to block mouse-over autopost scams

The microblogging site springs into action to block an exploit that automatically posted a string of garbled or obscured text.

It's not censorship: it's the latest Twitter security exploit.
It's not censorship: it's the latest Twitter security exploit.
Image: @gavreilly

Updated 14:30, 15:05

TWITTER HAS MOVED to implement a short-notice security patch after the service was swamped by a rampant JavaScript exploit that automatically posted itself to a user’s timeline simply by hovering the mouse over it.

Users were forced to avoid using the service’s website and instead to use third-party applications, after a series of malicious security exploits spread like wildfire over the microblogging platform.

Shortly after noon, users began seeing large chunks of blacked-out text in timelines, which – when hovered over by users mistaking the message for blacked-out formatting – automatically filled the ‘New Tweet’ space on the page and tried to post the message.

The code in question was a JavaScript exploit which masquerades itself as a traditional hyperlink, so as to evade Twitter’s automatic filters, but triggered a sequence that automatically posted the same message to a user’s own timeline, thus continuing its spread.

The rapid proliferation of such malicious messages across the site that the Twitter security staff were forced to issue a short-notice update to the site, so as to stop such tweets from constantly republishing themselves.

Perhaps ironically, one version of the bogus “link” purported to direct to a fictional site called a.no – or, if read aloud, “Ah No”. Naturally, no such site exists.


Poll Results:

" style="color:#000;background:#000;/ (1)

Other versions of the malicious tweet substituted in the ‘t.co‘ website – Twitter’s in-house URL shortening service, so as to further bolster their appearance of legitimacy.

Because the exploit affected all browsers using JavaScript, it was unavoidable unless users deactivated the JavaScript function from within their browser.

The exploit also manifested itself as a string of tiny characters (right), which activated the hack when hovered over:

Other users reported seeing ‘giant text’ when logging into the Twitter.com web-based service, though it is not known if that exploit was an identical one or a similar security flaw.

Another version of the flaw – including one that infected the account of Sarah Brown, wife of former British prime minister Gordon – redirected to Japanese pornography websites.

About the author:

Gavan Reilly

Read next: